pax_global_header00006660000000000000000000000064140261373250014515gustar00rootroot0000000000000052 comment=1f24fd487f361419a5fd1fd2ee75ce1228d422a8 python-evtx-0.7.4/000077500000000000000000000000001402613732500140325ustar00rootroot00000000000000python-evtx-0.7.4/.github/000077500000000000000000000000001402613732500153725ustar00rootroot00000000000000python-evtx-0.7.4/.github/workflows/000077500000000000000000000000001402613732500174275ustar00rootroot00000000000000python-evtx-0.7.4/.github/workflows/publish.yml000066400000000000000000000015411402613732500216210ustar00rootroot00000000000000# This workflows will upload a Python Package using Twine when a release is created # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries name: Upload Python Package on: release: types: [created] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Set up Python uses: actions/setup-python@v2 with: python-version: '3.x' - name: Install dependencies run: | python -m pip install --upgrade pip pip install setuptools wheel twine - name: Build and publish env: TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} run: | python setup.py sdist bdist_wheel twine upload dist/* python-evtx-0.7.4/.github/workflows/test.yml000066400000000000000000000015131402613732500211310ustar00rootroot00000000000000name: test on: push: branches: [ master ] pull_request: branches: [ master ] jobs: tests: name: Tests in ${{ matrix.python }} runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - python: 2.7 - python: 3.8 steps: - name: Checkout python-evtx with submodules uses: actions/checkout@v2 with: submodules: true - name: Set up Python ${{ matrix.python }} uses: actions/setup-python@v2 with: python-version: ${{ matrix.python }} - name: Install lxml deps run: sudo apt-get install -y libxml2-dev libxslt1-dev python-dev zlib1g-dev - name: Install lxml run: pip install lxml - name: Install python-evtx run: pip install -e .[test] - name: Run tests run: pytest tests/ python-evtx-0.7.4/.gitignore000066400000000000000000000005271402613732500160260ustar00rootroot00000000000000*.py[cod] # C extensions *.so # Packages *.egg *.egg-info dist build eggs parts bin var sdist develop-eggs .installed.cfg lib lib64 # Installer logs pip-log.txt # Unit test / coverage reports .coverage .tox nosetests.xml # Translations *.mo # Mr Developer .mr.developer.cfg .project .pydevproject .idea/* need-to-fix/* testing-evtxs/* python-evtx-0.7.4/.travis.yml000066400000000000000000000006061402613732500161450ustar00rootroot00000000000000language: python matrix: include: - os: linux sudo: required python: 2.7 - os: linux sudo: required python: 3.5 install: - sudo apt-get install -y python-lxml - pip install pep8 pytest-cov lxml - pip install -e . script: - find . -name \*.py -exec pep8 --ignore=E501 {} \; - py.test ./tests/ -v --cov=Evtx python-evtx-0.7.4/Evtx/000077500000000000000000000000001402613732500147605ustar00rootroot00000000000000python-evtx-0.7.4/Evtx/BinaryParser.py000066400000000000000000000457431402613732500177500ustar00rootroot00000000000000#!/usr/bin/python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v.0.3.0 from __future__ import absolute_import import struct from datetime import datetime from functools import partial import six class memoize(object): """cache the return value of a method From http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/ This class is meant to be used as a decorator of methods. The return value from a given method invocation will be cached on the instance whose method was invoked. All arguments passed to a method decorated with memoize must be hashable. If a memoized method is invoked directly on its class the result will not be cached. Instead the method will be invoked like a static method: class Obj(object): @memoize def add_to(self, arg): return self + arg Obj.add_to(1) # not enough arguments Obj.add_to(1, 2) # returns 3, result is not cached """ def __init__(self, func): self.func = func def __get__(self, obj, objtype=None): if obj is None: return self.func return partial(self, obj) def __call__(self, *args, **kw): obj = args[0] try: cache = obj.__cache except AttributeError: cache = obj.__cache = {} key = (self.func, args[1:], frozenset(list(kw.items()))) if key not in cache: cache[key] = self.func(*args, **kw) return cache[key] def align(offset, alignment): """ Return the offset aligned to the nearest greater given alignment Arguments: - `offset`: An integer - `alignment`: An integer """ if offset % alignment == 0: return offset return offset + (alignment - (offset % alignment)) def dosdate(dosdate, dostime): """ `dosdate`: 2 bytes, little endian. `dostime`: 2 bytes, little endian. returns: datetime.datetime or datetime.datetime.min on error """ try: t = ord(dosdate[1]) << 8 t |= ord(dosdate[0]) day = t & 0b0000000000011111 month = (t & 0b0000000111100000) >> 5 year = (t & 0b1111111000000000) >> 9 year += 1980 t = ord(dostime[1]) << 8 t |= ord(dostime[0]) sec = t & 0b0000000000011111 sec *= 2 minute = (t & 0b0000011111100000) >> 5 hour = (t & 0b1111100000000000) >> 11 return datetime(year, month, day, hour, minute, sec) except: return datetime.min def parse_filetime(qword): # see http://integriography.wordpress.com/2010/01/16/using-phython-to-parse-and-present-windows-64-bit-timestamps/ if qword == 0: return datetime.min try: return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600) except (ValueError, OSError): return datetime.min class BinaryParserException(Exception): """ Base Exception class for binary parsing. """ def __init__(self, value): """ Constructor. Arguments: - `value`: A string description. """ super(BinaryParserException, self).__init__() self._value = value def __repr__(self): return "BinaryParserException({!r})".format(self._value) def __str__(self): return "Binary Parser Exception: {}".format(self._value) class ParseException(BinaryParserException): """ An exception to be thrown during binary parsing, such as when an invalid header is encountered. """ def __init__(self, value): """ Constructor. Arguments: - `value`: A string description. """ super(ParseException, self).__init__(value) def __repr__(self): return "ParseException({!r})".format(self._value) def __str__(self): return "Parse Exception({})".format(self._value) class OverrunBufferException(ParseException): def __init__(self, readOffs, bufLen): tvalue = "read: {}, buffer length: {}".format(hex(readOffs), hex(bufLen)) super(ParseException, self).__init__(tvalue) def __repr__(self): return "OverrunBufferException({!r})".format(self._value) def __str__(self): return "Tried to parse beyond the end of the file ({})".format(self._value) class Block(object): """ Base class for structure blocks in binary parsing. A block is associated with a offset into a byte-string. """ def __init__(self, buf, offset): """ Constructor. Arguments: - `buf`: Byte string containing stuff to parse. - `offset`: The offset into the buffer at which the block starts. """ self._buf = buf self._offset = offset self._implicit_offset = 0 def __repr__(self): return "Block(buf={!r}, offset={!r})".format(self._buf, self._offset) def __str__(self): return str(self) def declare_field(self, type, name, offset=None, length=None): """ Declaratively add fields to this block. This method will dynamically add corresponding offset and unpacker methods to this block. Arguments: - `type`: A string. Should be one of the unpack_* types. - `name`: A string. - `offset`: A number. - `length`: (Optional) A number. For (w)strings, length in chars. """ if offset is None: offset = self._implicit_offset if length is None: def no_length_handler(): f = getattr(self, "unpack_" + type) return f(offset) setattr(self, name, no_length_handler) else: def explicit_length_handler(): f = getattr(self, "unpack_" + type) return f(offset, length) setattr(self, name, explicit_length_handler) setattr(self, "_off_" + name, offset) if type == "byte": self._implicit_offset = offset + 1 elif type == "int8": self._implicit_offset = offset + 1 elif type == "word": self._implicit_offset = offset + 2 elif type == "word_be": self._implicit_offset = offset + 2 elif type == "int16": self._implicit_offset = offset + 2 elif type == "dword": self._implicit_offset = offset + 4 elif type == "dword_be": self._implicit_offset = offset + 4 elif type == "int32": self._implicit_offset = offset + 4 elif type == "qword": self._implicit_offset = offset + 8 elif type == "int64": self._implicit_offset = offset + 8 elif type == "float": self._implicit_offset = offset + 4 elif type == "double": self._implicit_offset = offset + 8 elif type == "dosdate": self._implicit_offset = offset + 4 elif type == "filetime": self._implicit_offset = offset + 8 elif type == "systemtime": self._implicit_offset = offset + 8 elif type == "guid": self._implicit_offset = offset + 16 elif type == "binary": self._implicit_offset = offset + length elif type == "string" and length is not None: self._implicit_offset = offset + length elif type == "wstring" and length is not None: self._implicit_offset = offset + (2 * length) elif "string" in type and length is None: raise ParseException("Implicit offset not supported " "for dynamic length strings") else: raise ParseException("Implicit offset not supported " "for type: {}".format(type)) def current_field_offset(self): return self._implicit_offset def unpack_byte(self, offset): """ Returns a little-endian unsigned byte from the relative offset. Arguments: - `offset`: The relative offset from the start of the block. Throws: - `OverrunBufferException` """ o = self._offset + offset try: return struct.unpack_from("H", self._buf, o)[0] except struct.error: raise OverrunBufferException(o, len(self._buf)) def unpack_int16(self, offset): """ Returns a little-endian signed WORD (2 bytes) from the relative offset. Arguments: - `offset`: The relative offset from the start of the block. Throws: - `OverrunBufferException` """ o = self._offset + offset try: return struct.unpack_from("I", self._buf, o)[0] except struct.error: raise OverrunBufferException(o, len(self._buf)) def unpack_int32(self, offset): """ Returns a little-endian signed integer (4 bytes) from the relative offset. Arguments: - `offset`: The relative offset from the start of the block. Throws: - `OverrunBufferException` """ o = self._offset + offset try: return struct.unpack_from(" # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v.0.3.0 from __future__ import absolute_import import re import sys import mmap import binascii import logging from functools import wraps import Evtx.Views as e_views from .Nodes import RootNode from .Nodes import TemplateNode from .Nodes import NameStringNode from .BinaryParser import Block from .BinaryParser import ParseException logger = logging.getLogger(__name__) class InvalidRecordException(ParseException): def __init__(self): super(InvalidRecordException, self).__init__( "Invalid record structure") class Evtx(object): """ A convenience class that makes it easy to open an EVTX file and start iterating the important structures. Note, this class must be used in a context statement (see the `with` keyword). Note, this class will mmap the target file, so ensure your platform supports this operation. """ def __init__(self, filename): """ @type filename: str @param filename: A string that contains the path to the EVTX file to open. """ self._filename = filename self._buf = None self._f = None self._fh = None def __enter__(self): self._f = open(self._filename, "rb") self._buf = mmap.mmap(self._f.fileno(), 0, access=mmap.ACCESS_READ) self._fh = FileHeader(self._buf, 0x0) return self def __exit__(self, type, value, traceback): self._buf.close() self._f.close() self._fh = None def ensure_contexted(func): """ This decorator ensure that an instance of the Evtx class is used within a context statement. That is, that the `with` statement is used, or `__enter__()` and `__exit__()` are called explicitly. """ @wraps(func) def wrapped(self, *args, **kwargs): if self._buf is None: raise TypeError("An Evtx object must be used with" " a context (see the `with` statement).") else: return func(self, *args, **kwargs) return wrapped @ensure_contexted def chunks(self): """ Get each of the ChunkHeaders from within this EVTX file. @rtype generator of ChunkHeader @return A generator of ChunkHeaders from this EVTX file. """ for chunk in self._fh.chunks(): yield chunk @ensure_contexted def records(self): """ Get each of the Records from within this EVTX file. @rtype generator of Record @return A generator of Records from this EVTX file. """ for chunk in self.chunks(): for record in chunk.records(): yield record @ensure_contexted def get_record(self, record_num): """ Get a Record by record number. @type record_num: int @param record_num: The record number of the the record to fetch. @rtype Record or None @return The record request by record number, or None if the record is not found. """ return self._fh.get_record(record_num) @ensure_contexted def get_file_header(self): return self._fh class FileHeader(Block): def __init__(self, buf, offset): logger.debug("FILE HEADER at {}.".format(hex(offset))) super(FileHeader, self).__init__(buf, offset) self.declare_field("string", "magic", 0x0, length=8) self.declare_field("qword", "oldest_chunk") self.declare_field("qword", "current_chunk_number") self.declare_field("qword", "next_record_number") self.declare_field("dword", "header_size") self.declare_field("word", "minor_version") self.declare_field("word", "major_version") self.declare_field("word", "header_chunk_size") self.declare_field("word", "chunk_count") self.declare_field("binary", "unused1", length=0x4c) self.declare_field("dword", "flags") self.declare_field("dword", "checksum") def __repr__(self): return "FileHeader(buf={!r}, offset={!r})".format(self._buf, self._offset) def __str__(self): return "FileHeader(offset={})".format(hex(self._offset)) def check_magic(self): """ @return A boolean that indicates if the first eight bytes of the FileHeader match the expected magic value. """ try: return self.magic() == "ElfFile\x00" except UnicodeDecodeError: return False def calculate_checksum(self): """ @return A integer in the range of an unsigned int that is the calculated CRC32 checksum off the first 0x78 bytes. This is consistent with the checksum stored by the FileHeader. """ return binascii.crc32(self.unpack_binary(0, 0x78)) & 0xFFFFFFFF def verify(self): """ @return A boolean that indicates that the FileHeader successfully passes a set of heuristic checks that all EVTX FileHeaders should pass. """ return self.check_magic() and \ self.major_version() == 0x3 and \ self.minor_version() == 0x1 and \ self.header_chunk_size() == 0x1000 and \ self.checksum() == self.calculate_checksum() def is_dirty(self): """ @return A boolean that indicates that the log has been opened and was changed, though not all changes might be reflected in the file header. """ return self.flags() & 0x1 == 0x1 def is_full(self): """ @return A boolean that indicates that the log has reached its maximum configured size and the retention policy in effect does not allow to reclaim a suitable amount of space from the oldest records and an event message could not be written to the log file. """ return self.flags() & 0x2 == 0x2 def first_chunk(self): """ @return A ChunkHeader instance that is the first chunk in the log file, which is always found directly after the FileHeader. """ ofs = self._offset + self.header_chunk_size() return ChunkHeader(self._buf, ofs) def current_chunk(self): """ @return A ChunkHeader instance that is the current chunk indicated by the FileHeader. """ ofs = self._offset + self.header_chunk_size() ofs += (self.current_chunk_number() * 0x10000) return ChunkHeader(self._buf, ofs) def chunks(self, include_inactive=False): """ @return A generator that yields the chunks of the log file starting with the first chunk, which is always found directly after the FileHeader. If `include_inactive` is set to true, enumerate chunks beyond those declared in the file header (and may therefore be corrupt). """ if include_inactive: chunk_count = sys.maxsize else: chunk_count = self.chunk_count() i = 0 ofs = self._offset + self.header_chunk_size() while ofs + 0x10000 <= len(self._buf) and i < chunk_count: yield ChunkHeader(self._buf, ofs) ofs += 0x10000 i += 1 def get_record(self, record_num): """ Get a Record by record number. @type record_num: int @param record_num: The record number of the the record to fetch. @rtype Record or None @return The record request by record number, or None if the record is not found. """ for chunk in self.chunks(): first_record = chunk.log_first_record_number() last_record = chunk.log_last_record_number() if not (first_record <= record_num <= last_record): continue for record in chunk.records(): if record.record_num() == record_num: return record return None class Template(object): def __init__(self, template_node): self._template_node = template_node self._xml = None def _load_xml(self): """ TODO(wb): One day, nodes should generate format strings instead of the XML format made-up abomination. """ if self._xml is not None: return matcher = "\[(?:Normal|Conditional) Substitution\(index=(\d+), type=\d+\)\]" self._xml = re.sub(matcher, "{\\1:}", self._template_node.template_format().replace("{", "{{").replace("}", "}}")) def make_substitutions(self, substitutions): """ @type substitutions: list of VariantTypeNode """ self._load_xml() return self._xml.format(*[n.xml() for n in substitutions]) def node(self): return self._template_node class ChunkHeader(Block): def __init__(self, buf, offset): logger.debug("CHUNK HEADER at {}.".format(hex(offset))) super(ChunkHeader, self).__init__(buf, offset) self._strings = None self._templates = None self.declare_field("string", "magic", 0x0, length=8) self.declare_field("qword", "file_first_record_number") self.declare_field("qword", "file_last_record_number") self.declare_field("qword", "log_first_record_number") self.declare_field("qword", "log_last_record_number") self.declare_field("dword", "header_size") self.declare_field("dword", "last_record_offset") self.declare_field("dword", "next_record_offset") self.declare_field("dword", "data_checksum") self.declare_field("binary", "unused", length=0x44) self.declare_field("dword", "header_checksum") def __repr__(self): return "ChunkHeader(buf={!r}, offset={!r})".format(self._buf, self._offset) def __str__(self): return "ChunkHeader(offset={})".format(hex(self._offset)) def check_magic(self): """ @return A boolean that indicates if the first eight bytes of the ChunkHeader match the expected magic value. """ try: return self.magic() == "ElfChnk\x00" except UnicodeDecodeError: return False def calculate_header_checksum(self): """ @return A integer in the range of an unsigned int that is the calculated CRC32 checksum of the ChunkHeader fields. """ data = self.unpack_binary(0x0, 0x78) data += self.unpack_binary(0x80, 0x180) return binascii.crc32(data) & 0xFFFFFFFF def calculate_data_checksum(self): """ @return A integer in the range of an unsigned int that is the calculated CRC32 checksum of the Chunk data. """ data = self.unpack_binary(0x200, self.next_record_offset() - 0x200) return binascii.crc32(data) & 0xFFFFFFFF def verify(self): """ @return A boolean that indicates that the FileHeader successfully passes a set of heuristic checks that all EVTX ChunkHeaders should pass. """ return self.check_magic() and \ self.calculate_header_checksum() == self.header_checksum() and \ self.calculate_data_checksum() == self.data_checksum() def _load_strings(self): if self._strings is None: self._strings = {} for i in range(64): ofs = self.unpack_dword(0x80 + (i * 4)) while ofs > 0: string_node = self.add_string(ofs) ofs = string_node.next_offset() def strings(self): """ @return A dict(offset --> NameStringNode) """ if not self._strings: self._load_strings() return self._strings def add_string(self, offset, parent=None): """ @param offset An integer offset that is relative to the start of this chunk. @param parent (Optional) The parent of the newly created NameStringNode instance. (Default: this chunk). @return None """ if self._strings is None: self._load_strings() string_node = NameStringNode(self._buf, self._offset + offset, self, parent or self) self._strings[offset] = string_node return string_node def _load_templates(self): """ @return None """ if self._templates is None: self._templates = {} for i in range(32): ofs = self.unpack_dword(0x180 + (i * 4)) while ofs > 0: # unclear why these are found before the offset # this is a direct port from A.S.'s code token = self.unpack_byte(ofs - 10) pointer = self.unpack_dword(ofs - 4) if token != 0x0c or pointer != ofs: logger.warning("Unexpected token encountered") ofs = 0 continue template = self.add_template(ofs) ofs = template.next_offset() def add_template(self, offset, parent=None): """ @param offset An integer which contains the chunk-relative offset to a template to load into this Chunk. @param parent (Optional) The parent of the newly created TemplateNode instance. (Default: this chunk). @return Newly added TemplateNode instance. """ if self._templates is None: self._load_templates() node = TemplateNode(self._buf, self._offset + offset, self, parent or self) self._templates[offset] = node return node def templates(self): """ @return A dict(offset --> Template) of all encountered templates in this Chunk. """ if not self._templates: self._load_templates() return self._templates def first_record(self): return Record(self._buf, self._offset + 0x200, self) def records(self): try: record = self.first_record() except InvalidRecordException: return while record._offset < self._offset + self.next_record_offset() and record.length() > 0: yield record try: record = Record(self._buf, record._offset + record.length(), self) except InvalidRecordException: return class Record(Block): def __init__(self, buf, offset, chunk): logger.debug("Record at {}.".format(hex(offset))) super(Record, self).__init__(buf, offset) self._chunk = chunk self.declare_field("dword", "magic", 0x0) # 0x00002a2a self.declare_field("dword", "size") self.declare_field("qword", "record_num") self.declare_field("filetime", "timestamp") if self.size() > 0x10000: raise InvalidRecordException() self.declare_field("dword", "size2", self.size() - 4) def __repr__(self): return "Record(buf={!r}, offset={!r})".format(self._buf, self._offset) def __str__(self): return "Record(offset={})".format(hex(self._offset)) def root(self): return RootNode(self._buf, self._offset + 0x18, self._chunk, self) def length(self): return self.size() def verify(self): return self.size() == self.size2() def data(self): """ Return the raw data block which makes up this record as a bytestring. @rtype str @return A string that is a copy of the buffer that makes up this record. """ return self._buf[self.offset():self.offset() + self.size()] def xml(self): ''' render the record into XML. does not include the xml declaration header. Returns: str: the rendered xml document. ''' return e_views.evtx_record_xml_view(self) def lxml(self): ''' render the record into a lxml document. this is useful for querying data from the record using xpath, etc. note: lxml must be installed. Returns: lxml.etree.ElementTree: the rendered and parsed xml document. Raises: ImportError: if lxml is not installed. ''' import lxml.etree return lxml.etree.fromstring((e_views.XML_HEADER + self.xml()).encode('utf-8')) python-evtx-0.7.4/Evtx/Nodes.py000066400000000000000000001403441402613732500164100ustar00rootroot00000000000000#!/usr/bin/python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin william.ballenthin@mandiant.com> # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from __future__ import absolute_import import re import base64 import itertools import six import hexdump from .BinaryParser import Block from .BinaryParser import ParseException from .BinaryParser import memoize class SYSTEM_TOKENS: EndOfStreamToken = 0x00 OpenStartElementToken = 0x01 CloseStartElementToken = 0x02 CloseEmptyElementToken = 0x03 CloseElementToken = 0x04 ValueToken = 0x05 AttributeToken = 0x06 CDataSectionToken = 0x07 EntityReferenceToken = 0x08 ProcessingInstructionTargetToken = 0x0A ProcessingInstructionDataToken = 0x0B TemplateInstanceToken = 0x0C NormalSubstitutionToken = 0x0D ConditionalSubstitutionToken = 0x0E StartOfStreamToken = 0x0F class NODE_TYPES: NULL = 0x00 WSTRING = 0x01 STRING = 0x02 SIGNED_BYTE = 0x03 UNSIGNED_BYTE = 0x04 SIGNED_WORD = 0x05 UNSIGNED_WORD = 0x06 SIGNED_DWORD = 0x07 UNSIGNED_DWORD = 0x08 SIGNED_QWORD = 0x09 UNSIGNED_QWORD = 0x0A FLOAT = 0x0B DOUBLE = 0x0C BOOLEAN = 0x0D BINARY = 0x0E GUID = 0x0F SIZE = 0x10 FILETIME = 0x11 SYSTEMTIME = 0x12 SID = 0x13 HEX32 = 0x14 HEX64 = 0x15 BXML = 0x21 WSTRINGARRAY = 0x81 node_dispatch_table = [] # updated at end of file node_readable_tokens = [] # updated at end of file class SuppressConditionalSubstitution(Exception): """ This exception is to be thrown to indicate that a conditional substitution evaluated to NULL, and the parent element should be suppressed. This exception should be caught at the first opportunity, and must not propagate far up the call chain. Strategy: AttributeNode catches this, .xml() --> "" StartOpenElementNode catches this for each child, ensures there's at least one useful value. Or, .xml() --> "" """ def __init__(self, msg): super(SuppressConditionalSubstitution, self).__init__(msg) class UnexpectedStateException(ParseException): """ UnexpectedStateException is an exception to be thrown when the parser encounters an unexpected value or state. This probably means there is a bug in the parser, but could stem from a corrupted input file. """ def __init__(self, msg): super(UnexpectedStateException, self).__init__(msg) class BXmlNode(Block): def __init__(self, buf, offset, chunk, parent): super(BXmlNode, self).__init__(buf, offset) self._chunk = chunk self._parent = parent def __repr__(self): return "BXmlNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "BXmlNode(offset={})".format(hex(self.offset())) def dump(self): b = self._buf[self.offset():self.offset() + self.length()] return hexdump.hexdump(b, result='return') def tag_length(self): """ This method must be implemented and overridden for all BXmlNodes. @return An integer specifying the length of this tag, not including its children. """ raise NotImplementedError("tag_length not implemented for {!r}").format(self) def _children(self, max_children=None, end_tokens=[SYSTEM_TOKENS.EndOfStreamToken]): """ @return A list containing all of the children BXmlNodes. """ ret = [] ofs = self.tag_length() if max_children: gen = list(range(max_children)) else: gen = itertools.count() for _ in gen: # we lose error checking by masking off the higher nibble, # but, some tokens like 0x01, make use of the flags nibble. token = self.unpack_byte(ofs) & 0x0F try: HandlerNodeClass = node_dispatch_table[token] child = HandlerNodeClass(self._buf, self.offset() + ofs, self._chunk, self) except IndexError: raise ParseException("Unexpected token {:02X} at {}".format( token, self.absolute_offset(0x0) + ofs)) ret.append(child) ofs += child.length() if token in end_tokens: break if child.find_end_of_stream(): break return ret @memoize def children(self): return self._children() @memoize def length(self): """ @return An integer specifying the length of this tag and all its children. """ ret = self.tag_length() for child in self.children(): ret += child.length() return ret @memoize def find_end_of_stream(self): for child in self.children(): if isinstance(child, EndOfStreamNode): return child ret = child.find_end_of_stream() if ret: return ret return None class NameStringNode(BXmlNode): def __init__(self, buf, offset, chunk, parent): super(NameStringNode, self).__init__(buf, offset, chunk, parent) self.declare_field("dword", "next_offset", 0x0) self.declare_field("word", "hash") self.declare_field("word", "string_length") self.declare_field("wstring", "string", length=self.string_length()) def __repr__(self): return "NameStringNode(buf={!r}, offset={!r}, chunk={!r})".format( self._buf, self.offset(), self._chunk) def __str__(self): return "NameStringNode(offset={}, length={}, end={})".format( hex(self.offset()), hex(self.length()), hex(self.offset() + self.length())) def string(self): return str(self._string()) def tag_length(self): return (self.string_length() * 2) + 8 def length(self): # two bytes unaccounted for... return self.tag_length() + 2 class TemplateNode(BXmlNode): def __init__(self, buf, offset, chunk, parent): super(TemplateNode, self).__init__(buf, offset, chunk, parent) self.declare_field("dword", "next_offset", 0x0) self.declare_field("dword", "template_id") self.declare_field("guid", "guid", 0x04) # unsure why this overlaps self.declare_field("dword", "data_length") def __repr__(self): return "TemplateNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "TemplateNode(offset={}, guid={}, length={})".format( hex(self.offset()), self.guid(), hex(self.length())) def tag_length(self): return 0x18 def length(self): return self.tag_length() + self.data_length() class EndOfStreamNode(BXmlNode): """ The binary XML node for the system token 0x00. This is the "end of stream" token. It may never actually be instantiated here. """ def __init__(self, buf, offset, chunk, parent): super(EndOfStreamNode, self).__init__(buf, offset, chunk, parent) def __repr__(self): return "EndOfStreamNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "EndOfStreamNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), 0x00) def flags(self): return self.token() >> 4 def tag_length(self): return 1 def length(self): return 1 def children(self): return [] class OpenStartElementNode(BXmlNode): """ The binary XML node for the system token 0x01. This is the "open start element" token. """ def __init__(self, buf, offset, chunk, parent): super(OpenStartElementNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("word", "unknown0") # TODO(wb): use this size() field. self.declare_field("dword", "size") self.declare_field("dword", "string_offset") self._tag_length = 11 self._element_type = 0 if self.flags() & 0x04: self._tag_length += 4 if self.string_offset() > self.offset() - self._chunk._offset: new_string = self._chunk.add_string(self.string_offset(), parent=self) self._tag_length += new_string.length() def __repr__(self): return "OpenStartElementNode(buf={!r}, offset={!r}, chunk={!r})".format( self._buf, self.offset(), self._chunk) def __str__(self): return "OpenStartElementNode(offset={}, name={}, length={}, token={}, end={}, taglength={}, endtag={})".format( hex(self.offset()), self.tag_name(), hex(self.length()), hex(self.token()), hex(self.offset() + self.length()), hex(self.tag_length()), hex(self.offset() + self.tag_length())) @memoize def is_empty_node(self): for child in self.children(): if type(child) is CloseEmptyElementNode: return True return False def flags(self): return self.token() >> 4 @memoize def tag_name(self): return self._chunk.strings()[self.string_offset()].string() def tag_length(self): return self._tag_length def verify(self): return self.flags() & 0x0b == 0 and \ self.opcode() & 0x0F == 0x01 @memoize def children(self): return self._children(end_tokens=[SYSTEM_TOKENS.CloseElementToken, SYSTEM_TOKENS.CloseEmptyElementToken]) class CloseStartElementNode(BXmlNode): """ The binary XML node for the system token 0x02. This is the "close start element" token. """ def __init__(self, buf, offset, chunk, parent): super(CloseStartElementNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) def __repr__(self): return "CloseStartElementNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "CloseStartElementNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(self.token())) def flags(self): return self.token() >> 4 def tag_length(self): return 1 def length(self): return 1 def children(self): return [] def verify(self): return self.flags() & 0x0F == 0 and \ self.opcode() & 0x0F == 0x02 class CloseEmptyElementNode(BXmlNode): """ The binary XML node for the system token 0x03. """ def __init__(self, buf, offset, chunk, parent): super(CloseEmptyElementNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) def __repr__(self): return "CloseEmptyElementNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "CloseEmptyElementNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x03)) def flags(self): return self.token() >> 4 def tag_length(self): return 1 def length(self): return 1 def children(self): return [] class CloseElementNode(BXmlNode): """ The binary XML node for the system token 0x04. This is the "close element" token. """ def __init__(self, buf, offset, chunk, parent): super(CloseElementNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) def __repr__(self): return "CloseElementNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "CloseElementNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(self.token())) def flags(self): return self.token() >> 4 def tag_length(self): return 1 def length(self): return 1 def children(self): return [] def verify(self): return self.flags() & 0x0F == 0 and \ self.opcode() & 0x0F == 0x04 def get_variant_value(buf, offset, chunk, parent, type_, length=None): """ @return A VariantType subclass instance found in the given buffer and offset. """ types = { NODE_TYPES.NULL: NullTypeNode, NODE_TYPES.WSTRING: WstringTypeNode, NODE_TYPES.STRING: StringTypeNode, NODE_TYPES.SIGNED_BYTE: SignedByteTypeNode, NODE_TYPES.UNSIGNED_BYTE: UnsignedByteTypeNode, NODE_TYPES.SIGNED_WORD: SignedWordTypeNode, NODE_TYPES.UNSIGNED_WORD: UnsignedWordTypeNode, NODE_TYPES.SIGNED_DWORD: SignedDwordTypeNode, NODE_TYPES.UNSIGNED_DWORD: UnsignedDwordTypeNode, NODE_TYPES.SIGNED_QWORD: SignedQwordTypeNode, NODE_TYPES.UNSIGNED_QWORD: UnsignedQwordTypeNode, NODE_TYPES.FLOAT: FloatTypeNode, NODE_TYPES.DOUBLE: DoubleTypeNode, NODE_TYPES.BOOLEAN: BooleanTypeNode, NODE_TYPES.BINARY: BinaryTypeNode, NODE_TYPES.GUID: GuidTypeNode, NODE_TYPES.SIZE: SizeTypeNode, NODE_TYPES.FILETIME: FiletimeTypeNode, NODE_TYPES.SYSTEMTIME: SystemtimeTypeNode, NODE_TYPES.SID: SIDTypeNode, NODE_TYPES.HEX32: Hex32TypeNode, NODE_TYPES.HEX64: Hex64TypeNode, NODE_TYPES.BXML: BXmlTypeNode, NODE_TYPES.WSTRINGARRAY: WstringArrayTypeNode, } try: TypeClass = types[type_] except IndexError: raise NotImplementedError("Type {} not implemented".format(type_)) return TypeClass(buf, offset, chunk, parent, length=length) class ValueNode(BXmlNode): """ The binary XML node for the system token 0x05. This is the "value" token. """ def __init__(self, buf, offset, chunk, parent): super(ValueNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("byte", "type") def __repr__(self): return "ValueNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "ValueNode(offset={}, length={}, token={}, value={})".format( hex(self.offset()), hex(self.length()), hex(self.token()), self.value().string()) def flags(self): return self.token() >> 4 def value(self): return self.children()[0] def tag_length(self): return 2 def children(self): child = get_variant_value(self._buf, self.offset() + self.tag_length(), self._chunk, self, self.type()) return [child] def verify(self): return self.flags() & 0x0B == 0 and \ self.token() & 0x0F == SYSTEM_TOKENS.ValueToken class AttributeNode(BXmlNode): """ The binary XML node for the system token 0x06. This is the "attribute" token. """ def __init__(self, buf, offset, chunk, parent): super(AttributeNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("dword", "string_offset") self._name_string_length = 0 if self.string_offset() > self.offset() - self._chunk._offset: new_string = self._chunk.add_string(self.string_offset(), parent=self) self._name_string_length += new_string.length() def __repr__(self): return "AttributeNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "AttributeNode(offset={}, length={}, token={}, name={}, value={})".format( hex(self.offset()), hex(self.length()), hex(self.token()), self.attribute_name(), self.attribute_value()) def flags(self): return self.token() >> 4 def attribute_name(self): """ @return A NameNode instance that contains the attribute name. """ return self._chunk.strings()[self.string_offset()] def attribute_value(self): """ @return A BXmlNode instance that is one of (ValueNode, ConditionalSubstitutionNode, NormalSubstitutionNode). """ return self.children()[0] def tag_length(self): return 5 + self._name_string_length def verify(self): return self.flags() & 0x0B == 0 and \ self.opcode() & 0x0F == 0x06 @memoize def children(self): return self._children(max_children=1) class CDataSectionNode(BXmlNode): """ The binary XML node for the system token 0x07. This is the "CDATA section" system token. """ def __init__(self, buf, offset, chunk, parent): super(CDataSectionNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("word", "string_length") self.declare_field("wstring", "cdata", length=self.string_length() - 2) def __repr__(self): return "CDataSectionNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "CDataSectionNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), 0x07) def flags(self): return self.token() >> 4 def tag_length(self): return 0x3 + self.string_length() def length(self): return self.tag_length() def children(self): return [] def verify(self): return self.flags() == 0x0 and \ self.token() & 0x0F == SYSTEM_TOKENS.CDataSectionToken class CharacterReferenceNode(BXmlNode): """ The binary XML node for the system token 0x08. This is an character reference node. That is, something that represents a non-XML character, eg. & --> 8. """ def __init__(self, buf, offset, chunk, parent): super(CharacterReferenceNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("word", "entity") self._tag_length = 3 def __repr__(self): return "CharacterReferenceNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "CharacterReferenceNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x08)) def entity_reference(self): return '&#x%04x;' % (self.entity()) def flags(self): return self.token() >> 4 def tag_length(self): return self._tag_length def children(self): return [] class EntityReferenceNode(BXmlNode): """ The binary XML node for the system token 0x09. This is an entity reference node. That is, something that represents a non-XML character, eg. & --> &. TODO(wb): this is untested. """ def __init__(self, buf, offset, chunk, parent): super(EntityReferenceNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("dword", "string_offset") self._tag_length = 5 if self.string_offset() > self.offset() - self._chunk.offset(): new_string = self._chunk.add_string(self.string_offset(), parent=self) self._tag_length += new_string.length() def __repr__(self): return "EntityReferenceNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "EntityReferenceNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x09)) def entity_reference(self): return "&{};".format(self._chunk.strings()[self.string_offset()].string()) def flags(self): return self.token() >> 4 def tag_length(self): return self._tag_length def children(self): # TODO(wb): it may be possible for this element to have children. return [] class ProcessingInstructionTargetNode(BXmlNode): """ The binary XML node for the system token 0x0A. TODO(wb): untested. """ def __init__(self, buf, offset, chunk, parent): super(ProcessingInstructionTargetNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("dword", "string_offset") self._tag_length = 5 if self.string_offset() > self.offset() - self._chunk.offset(): new_string = self._chunk.add_string(self.string_offset(), parent=self) self._tag_length += new_string.length() def __repr__(self): return "ProcessingInstructionTargetNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "ProcessingInstructionTargetNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x0A)) def processing_instruction_target(self): return "> 4 def tag_length(self): return self._tag_length def children(self): # TODO(wb): it may be possible for this element to have children. return [] class ProcessingInstructionDataNode(BXmlNode): """ The binary XML node for the system token 0x0B. TODO(wb): untested. """ def __init__(self, buf, offset, chunk, parent): super(ProcessingInstructionDataNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("word", "string_length") self._tag_length = 3 + (2 * self.string_length()) if self.string_length() > 0: self._string = self.unpack_wstring(0x3, self.string_length()) else: self._string = "" def __repr__(self): return "ProcessingInstructionDataNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "ProcessingInstructionDataNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x0B)) def flags(self): return self.token() >> 4 def string(self): if self.string_length() > 0: return " {}?>".format(self._string) else: return "?>" def tag_length(self): return self._tag_length def children(self): # TODO(wb): it may be possible for this element to have children. return [] class TemplateInstanceNode(BXmlNode): """ The binary XML node for the system token 0x0C. """ def __init__(self, buf, offset, chunk, parent): super(TemplateInstanceNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("byte", "unknown0") self.declare_field("dword", "template_id") self.declare_field("dword", "template_offset") self._data_length = 0 if self.is_resident_template(): new_template = self._chunk.add_template(self.template_offset(), parent=self) self._data_length += new_template.length() def __repr__(self): return "TemplateInstanceNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "TemplateInstanceNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x0C)) def flags(self): return self.token() >> 4 def is_resident_template(self): return self.template_offset() > self.offset() - self._chunk._offset def tag_length(self): return 10 def length(self): return self.tag_length() + self._data_length def template(self): return self._chunk.templates()[self.template_offset()] def children(self): return [] @memoize def find_end_of_stream(self): return self.template().find_end_of_stream() class NormalSubstitutionNode(BXmlNode): """ The binary XML node for the system token 0x0D. This is a "normal substitution" token. """ def __init__(self, buf, offset, chunk, parent): super(NormalSubstitutionNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("word", "index") self.declare_field("byte", "type") def __repr__(self): return "NormalSubstitutionNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "NormalSubstitutionNode(offset={}, length={}, token={}, index={}, type={})".format( hex(self.offset()), hex(self.length()), hex(self.token()), self.index(), self.type()) def flags(self): return self.token() >> 4 def tag_length(self): return 0x4 def length(self): return self.tag_length() def children(self): return [] def verify(self): return self.flags() == 0 and \ self.token() & 0x0F == SYSTEM_TOKENS.NormalSubstitutionToken class ConditionalSubstitutionNode(BXmlNode): """ The binary XML node for the system token 0x0E. """ def __init__(self, buf, offset, chunk, parent): super(ConditionalSubstitutionNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("word", "index") self.declare_field("byte", "type") def __repr__(self): return "ConditionalSubstitutionNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "ConditionalSubstitutionNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(0x0E)) def should_suppress(self, substitutions): sub = substitutions[self.index()] return type(sub) is NullTypeNode def flags(self): return self.token() >> 4 def tag_length(self): return 0x4 def length(self): return self.tag_length() def children(self): return [] def verify(self): return self.flags() == 0 and \ self.token() & 0x0F == SYSTEM_TOKENS.ConditionalSubstitutionToken class StreamStartNode(BXmlNode): """ The binary XML node for the system token 0x0F. This is the "start of stream" token. """ def __init__(self, buf, offset, chunk, parent): super(StreamStartNode, self).__init__(buf, offset, chunk, parent) self.declare_field("byte", "token", 0x0) self.declare_field("byte", "unknown0") self.declare_field("word", "unknown1") def __repr__(self): return "StreamStartNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "StreamStartNode(offset={}, length={}, token={})".format( hex(self.offset()), hex(self.length()), hex(self.token())) def verify(self): return self.flags() == 0x0 and \ self.token() & 0x0F == SYSTEM_TOKENS.StartOfStreamToken and \ self.unknown0() == 0x1 and \ self.unknown1() == 0x1 def flags(self): return self.token() >> 4 def tag_length(self): return 4 def length(self): return self.tag_length() + 0 def children(self): return [] class RootNode(BXmlNode): """ The binary XML node for the Root node. """ def __init__(self, buf, offset, chunk, parent): super(RootNode, self).__init__(buf, offset, chunk, parent) def __repr__(self): return "RootNode(buf={!r}, offset={!r}, chunk={!r}, parent={!r})".format( self._buf, self.offset(), self._chunk, self._parent) def __str__(self): return "RootNode(offset={}, length={})".format( hex(self.offset()), hex(self.length())) def tag_length(self): return 0 @memoize def children(self): """ @return The template instances which make up this node. """ return self._children(end_tokens=[SYSTEM_TOKENS.EndOfStreamToken]) def tag_and_children_length(self): """ @return The length of the tag of this element, and the children. This does not take into account the substitutions that may be at the end of this element. """ children_length = 0 for child in self.children(): children_length += child.length() return self.tag_length() + children_length def template_instance(self): ''' parse the template instance node. this is used to compute the location of the template definition structure. Returns: TemplateInstanceNode: the template instance. ''' ofs = self.offset() if self.unpack_byte(0x0) & 0x0F == 0xF: ofs += 4 return TemplateInstanceNode(self._buf, ofs, self._chunk, self) def template(self): ''' parse the template referenced by this root node. note, this template structure is not guaranteed to be located within the root node's boundaries. Returns: TemplateNode: the template. ''' instance = self.template_instance() offset = self._chunk.offset() + instance.template_offset() node = TemplateNode(self._buf, offset, self._chunk, instance) return node @memoize def substitutions(self): """ @return A list of VariantTypeNode subclass instances that contain the substitutions for this root node. """ sub_decl = [] sub_def = [] ofs = self.tag_and_children_length() sub_count = self.unpack_dword(ofs) ofs += 4 for _ in range(sub_count): size = self.unpack_word(ofs) type_ = self.unpack_byte(ofs + 0x2) sub_decl.append((size, type_)) ofs += 4 for (size, type_) in sub_decl: val = get_variant_value(self._buf, self.offset() + ofs, self._chunk, self, type_, length=size) if abs(size - val.length()) > 4: # TODO(wb): This is a hack, so I'm sorry. # But, we are not passing around a 'length' field, # so we have to depend on the structure of each # variant type. It seems some BXmlTypeNode sizes # are not exact. Hopefully, this is just alignment. # So, that's what we compensate for here. raise ParseException("Invalid substitution value size") sub_def.append(val) ofs += size return sub_def @memoize def length(self): ofs = self.tag_and_children_length() sub_count = self.unpack_dword(ofs) ofs += 4 ret = ofs for _ in range(sub_count): size = self.unpack_word(ofs) ret += size + 4 ofs += 4 return ret class VariantTypeNode(BXmlNode): """ """ def __init__(self, buf, offset, chunk, parent, length=None): super(VariantTypeNode, self).__init__(buf, offset, chunk, parent) self._length = length def __repr__(self): return "{}(buf={!r}, offset={}, chunk={!r})".format( self.__class__.__name__, self._buf, hex(self.offset()), self._chunk) def __str__(self): return "{}(offset={}, length={}, string={})".format( self.__class__.__name__, hex(self.offset()), hex(self.length()), self.string()) def tag_length(self): raise NotImplementedError("tag_length not implemented for {!r}".format(self)) def length(self): return self.tag_length() def children(self): return [] def string(self): raise NotImplementedError("string not implemented for {!r}".format(self)) # but satisfies the contract of VariantTypeNode, BXmlNode, but not Block class NullTypeNode(object): """ Variant type 0x00. """ def __init__(self, buf, offset, chunk, parent, length=None): super(NullTypeNode, self).__init__() self._offset = offset self._length = length def __str__(self): return "NullTypeNode" def string(self): return "" def length(self): return self._length or 0 def tag_length(self): return self._length or 0 def children(self): return [] def offset(self): return self._offset class WstringTypeNode(VariantTypeNode): """ Variant ttype 0x01. """ def __init__(self, buf, offset, chunk, parent, length=None): super(WstringTypeNode, self).__init__(buf, offset, chunk, parent, length=length) if self._length is None: self.declare_field("word", "string_length", 0x0) self.declare_field("wstring", "_string", length=(self.string_length())) else: self.declare_field("wstring", "_string", 0x0, length=(self._length // 2)) def tag_length(self): if self._length is None: return (2 + (self.string_length() * 2)) return self._length def string(self): return self._string().rstrip("\x00") class StringTypeNode(VariantTypeNode): """ Variant type 0x02. """ def __init__(self, buf, offset, chunk, parent, length=None): super(StringTypeNode, self).__init__(buf, offset, chunk, parent, length=length) if self._length is None: self.declare_field("word", "string_length", 0x0) self.declare_field("string", "_string", length=(self.string_length())) else: self.declare_field("string", "_string", 0x0, length=self._length) def tag_length(self): if self._length is None: return (2 + (self.string_length())) return self._length def string(self): return self._string().rstrip("\x00") class SignedByteTypeNode(VariantTypeNode): """ Variant type 0x03. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SignedByteTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("int8", "byte", 0x0) def tag_length(self): return 1 def string(self): return str(self.byte()) class UnsignedByteTypeNode(VariantTypeNode): """ Variant type 0x04. """ def __init__(self, buf, offset, chunk, parent, length=None): super(UnsignedByteTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("byte", "byte", 0x0) def tag_length(self): return 1 def string(self): return str(self.byte()) class SignedWordTypeNode(VariantTypeNode): """ Variant type 0x05. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SignedWordTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("int16", "word", 0x0) def tag_length(self): return 2 def string(self): return str(self.word()) class UnsignedWordTypeNode(VariantTypeNode): """ Variant type 0x06. """ def __init__(self, buf, offset, chunk, parent, length=None): super(UnsignedWordTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("word", "word", 0x0) def tag_length(self): return 2 def string(self): return str(self.word()) class SignedDwordTypeNode(VariantTypeNode): """ Variant type 0x07. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SignedDwordTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("int32", "dword", 0x0) def tag_length(self): return 4 def string(self): return str(self.dword()) class UnsignedDwordTypeNode(VariantTypeNode): """ Variant type 0x08. """ def __init__(self, buf, offset, chunk, parent, length=None): super(UnsignedDwordTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("dword", "dword", 0x0) def tag_length(self): return 4 def string(self): return str(self.dword()) class SignedQwordTypeNode(VariantTypeNode): """ Variant type 0x09. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SignedQwordTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("int64", "qword", 0x0) def tag_length(self): return 8 def string(self): return str(self.qword()) class UnsignedQwordTypeNode(VariantTypeNode): """ Variant type 0x0A. """ def __init__(self, buf, offset, chunk, parent, length=None): super(UnsignedQwordTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("qword", "qword", 0x0) def tag_length(self): return 8 def string(self): return str(self.qword()) class FloatTypeNode(VariantTypeNode): """ Variant type 0x0B. """ def __init__(self, buf, offset, chunk, parent, length=None): super(FloatTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("float", "float", 0x0) def tag_length(self): return 4 def string(self): return str(self.float()) class DoubleTypeNode(VariantTypeNode): """ Variant type 0x0C. """ def __init__(self, buf, offset, chunk, parent, length=None): super(DoubleTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("double", "double", 0x0) def tag_length(self): return 8 def string(self): return str(self.double()) class BooleanTypeNode(VariantTypeNode): """ Variant type 0x0D. """ def __init__(self, buf, offset, chunk, parent, length=None): super(BooleanTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("int32", "int32", 0x0) def tag_length(self): return 4 def string(self): if self.int32() > 0: return "True" return "False" class BinaryTypeNode(VariantTypeNode): """ Variant type 0x0E. String/XML representation is Base64 encoded. """ def __init__(self, buf, offset, chunk, parent, length=None): super(BinaryTypeNode, self).__init__(buf, offset, chunk, parent, length=length) if self._length is None: self.declare_field("dword", "size", 0x0) self.declare_field("binary", "binary", length=self.size()) else: self.declare_field("binary", "binary", 0x0, length=self._length) def tag_length(self): if self._length is None: return (4 + self.size()) return self._length def string(self): return base64.b64encode(self.binary()).decode('ascii') class GuidTypeNode(VariantTypeNode): """ Variant type 0x0F. """ def __init__(self, buf, offset, chunk, parent, length=None): super(GuidTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("guid", "guid", 0x0) def tag_length(self): return 16 def string(self): return '{' + self.guid() + '}' class SizeTypeNode(VariantTypeNode): """ Variant type 0x10. Note: Assuming sizeof(size_t) == 0x8. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SizeTypeNode, self).__init__(buf, offset, chunk, parent, length=length) if self._length == 0x4: self.declare_field("dword", "num", 0x0) elif self._length == 0x8: self.declare_field("qword", "num", 0x0) else: self.declare_field("qword", "num", 0x0) def tag_length(self): if self._length is None: return 8 return self._length def string(self): return str(self.num()) class FiletimeTypeNode(VariantTypeNode): """ Variant type 0x11. """ def __init__(self, buf, offset, chunk, parent, length=None): super(FiletimeTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("filetime", "filetime", 0x0) def string(self): return self.filetime().isoformat(' ') def tag_length(self): return 8 class SystemtimeTypeNode(VariantTypeNode): """ Variant type 0x12. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SystemtimeTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("systemtime", "systemtime", 0x0) def tag_length(self): return 16 def string(self): return self.systemtime().isoformat(' ') class SIDTypeNode(VariantTypeNode): """ Variant type 0x13. """ def __init__(self, buf, offset, chunk, parent, length=None): super(SIDTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("byte", "version", 0x0) self.declare_field("byte", "num_elements") self.declare_field("dword_be", "id_high") self.declare_field("word_be", "id_low") @memoize def elements(self): ret = [] for i in range(self.num_elements()): ret.append(self.unpack_dword(self.current_field_offset() + 4 * i)) return ret @memoize def id(self): ret = "S-{}-{}".format( self.version(), (self.id_high() << 16) ^ self.id_low()) for elem in self.elements(): ret += "-{}".format(elem) return ret def tag_length(self): return 8 + 4 * self.num_elements() def string(self): return self.id() class Hex32TypeNode(VariantTypeNode): """ Variant type 0x14. """ def __init__(self, buf, offset, chunk, parent, length=None): super(Hex32TypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("binary", "hex", 0x0, length=0x4) def tag_length(self): return 4 def string(self): ret = "0x" b = self.hex()[::-1] for i in range(len(b)): ret += '{:02x}'.format(six.indexbytes(b, i)) return ret class Hex64TypeNode(VariantTypeNode): """ Variant type 0x15. """ def __init__(self, buf, offset, chunk, parent, length=None): super(Hex64TypeNode, self).__init__(buf, offset, chunk, parent, length=length) self.declare_field("binary", "hex", 0x0, length=0x8) def tag_length(self): return 8 def string(self): ret = "0x" b = self.hex()[::-1] for i in range(len(b)): ret += '{:02x}'.format(six.indexbytes(b, i)) return ret class BXmlTypeNode(VariantTypeNode): """ Variant type 0x21. """ def __init__(self, buf, offset, chunk, parent, length=None): super(BXmlTypeNode, self).__init__(buf, offset, chunk, parent, length=length) self._root = RootNode(buf, offset, chunk, self) def tag_length(self): return self._length or self._root.length() def string(self): return '' def root(self): return self._root class WstringArrayTypeNode(VariantTypeNode): """ Variant ttype 0x81. """ def __init__(self, buf, offset, chunk, parent, length=None): super(WstringArrayTypeNode, self).__init__(buf, offset, chunk, parent, length=length) if self._length is None: self.declare_field("word", "binary_length", 0x0) self.declare_field("binary", "binary", length=(self.binary_length())) else: self.declare_field("binary", "binary", 0x0, length=(self._length)) def tag_length(self): if self._length is None: return (2 + self.binary_length()) return self._length def string(self): binary = self.binary() acc = [] while len(binary) > 0: match = re.search(b"((?:[^\x00].)+)", binary) if match: frag = match.group() acc.append("") acc.append(frag.decode("utf16")) acc.append("\n") binary = binary[len(frag) + 2:] if len(binary) == 0: break frag = re.search(b"(\x00*)", binary).group() if len(frag) % 2 == 0: for _ in range(len(frag) // 2): acc.append("\n") else: raise ParseException("Error parsing uneven substring of NULLs") binary = binary[len(frag):] return "".join(acc) node_dispatch_table = [ EndOfStreamNode, OpenStartElementNode, CloseStartElementNode, CloseEmptyElementNode, CloseElementNode, ValueNode, AttributeNode, CDataSectionNode, CharacterReferenceNode, EntityReferenceNode, ProcessingInstructionTargetNode, ProcessingInstructionDataNode, TemplateInstanceNode, NormalSubstitutionNode, ConditionalSubstitutionNode, StreamStartNode, ] node_readable_tokens = [ "End of Stream", "Open Start Element", "Close Start Element", "Close Empty Element", "Close Element", "Value", "Attribute", "unknown", "unknown", "unknown", "unknown", "unknown", "TemplateInstanceNode", "Normal Substitution", "Conditional Substitution", "Start of Stream", ] python-evtx-0.7.4/Evtx/Views.py000066400000000000000000000234331402613732500164340ustar00rootroot00000000000000#!/usr/bin/python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from __future__ import absolute_import import re import xml.sax.saxutils import six import Evtx.Nodes as e_nodes XML_HEADER = "\n" class UnexpectedElementException(Exception): def __init__(self, msg): super(UnexpectedElementException, self).__init__(msg) # ref: https://www.w3.org/TR/xml11/#charsets RESTRICTED_CHARS = re.compile('[\x01-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F]') def escape_attr(s): ''' escape the given string such that it can be placed in an XML attribute, like: Args: s (str): the string to escape. Returns: str: the escaped string. ''' esc = xml.sax.saxutils.quoteattr(s) esc = esc.encode('ascii', 'xmlcharrefreplace').decode('ascii') esc = RESTRICTED_CHARS.sub('', esc) return esc def escape_value(s): ''' escape the given string such that it can be placed in an XML value location, like: $value Args: s (str): the string to escape. Returns: str: the escaped string. ''' esc = xml.sax.saxutils.escape(s) esc = esc.encode('ascii', 'xmlcharrefreplace').decode('ascii') esc = RESTRICTED_CHARS.sub('', esc) return esc # ref: https://www.w3.org/TR/xml/#NT-NameStartChar # but we are going to require a even stricter subset. NAME_PATTERN = re.compile('[a-zA-Z_][a-zA-Z_\-]*') def validate_name(s): ''' ensure the given name can be used as an XML entity name, such as tag or attribute name. Args: s (str): the string to validate. Raises: RuntimeError: if the string is not suitable to be an XML name. ''' if not NAME_PATTERN.match(s): raise RuntimeError('invalid xml name: %s' % (s)) return s def render_root_node_with_subs(root_node, subs): """ render the given root node using the given substitutions into XML. Args: root_node (e_nodes.RootNode): the node to render. subs (list[str]): the substitutions that maybe included in the XML. Returns: str: the rendered XML document. """ def rec(node, acc): if isinstance(node, e_nodes.EndOfStreamNode): pass # intended elif isinstance(node, e_nodes.OpenStartElementNode): acc.append("<") acc.append(node.tag_name()) for child in node.children(): if isinstance(child, e_nodes.AttributeNode): acc.append(" ") acc.append(validate_name(child.attribute_name().string())) acc.append("=\"") # TODO: should use xml.sax.saxutils.quoteattr here # but to do so, we'd need to ensure we're not double-quoting this value. rec(child.attribute_value(), acc) acc.append("\"") acc.append(">") for child in node.children(): rec(child, acc) acc.append("\n") elif isinstance(node, e_nodes.CloseStartElementNode): pass # intended elif isinstance(node, e_nodes.CloseEmptyElementNode): pass # intended elif isinstance(node, e_nodes.CloseElementNode): pass # intended elif isinstance(node, e_nodes.ValueNode): acc.append(escape_value(node.children()[0].string())) elif isinstance(node, e_nodes.AttributeNode): pass # intended elif isinstance(node, e_nodes.CDataSectionNode): acc.append("") elif isinstance(node, e_nodes.EntityReferenceNode): acc.append(escape_value(node.entity_reference())) elif isinstance(node, e_nodes.ProcessingInstructionTargetNode): acc.append(escape_value(node.processing_instruction_target())) elif isinstance(node, e_nodes.ProcessingInstructionDataNode): acc.append(escape_value(node.string())) elif isinstance(node, e_nodes.TemplateInstanceNode): raise UnexpectedElementException("TemplateInstanceNode") elif isinstance(node, e_nodes.NormalSubstitutionNode): sub = subs[node.index()] if isinstance(sub, e_nodes.BXmlTypeNode): sub = render_root_node(sub.root()) else: sub = escape_value(sub.string()) acc.append(sub) elif isinstance(node, e_nodes.ConditionalSubstitutionNode): sub = subs[node.index()] if isinstance(sub, e_nodes.BXmlTypeNode): sub = render_root_node(sub.root()) else: sub = escape_value(sub.string()) acc.append(sub) elif isinstance(node, e_nodes.StreamStartNode): pass # intended acc = [] for c in root_node.template().children(): rec(c, acc) return "".join(acc) def render_root_node(root_node): subs = [] for sub in root_node.substitutions(): if isinstance(sub, six.string_types): raise RuntimeError('string sub?') if sub is None: raise RuntimeError('null sub?') subs.append(sub) return render_root_node_with_subs(root_node, subs) def evtx_record_xml_view(record, cache=None): ''' render the given record into an XML document. Args: record (Evtx.Record): the record to render. Returns: str: the rendered XML document. ''' return render_root_node(record.root()) def evtx_chunk_xml_view(chunk): """ Generate XML representations of the records in an EVTX chunk. Does not include the XML ") for child in node.children(): rec(child, acc) acc.append("\n") elif isinstance(node, e_nodes.CloseStartElementNode): pass # intended elif isinstance(node, e_nodes.CloseEmptyElementNode): pass # intended elif isinstance(node, e_nodes.CloseElementNode): pass # intended elif isinstance(node, e_nodes.ValueNode): acc.append(node.children()[0].string()) elif isinstance(node, e_nodes.AttributeNode): pass # intended elif isinstance(node, e_nodes.CDataSectionNode): acc.append("") elif isinstance(node, e_nodes.EntityReferenceNode): acc.append(node.entity_reference()) elif isinstance(node, e_nodes.ProcessingInstructionTargetNode): acc.append(node.processing_instruction_target()) elif isinstance(node, e_nodes.ProcessingInstructionDataNode): acc.append(node.string()) elif isinstance(node, e_nodes.TemplateInstanceNode): raise UnexpectedElementException("TemplateInstanceNode") elif isinstance(node, e_nodes.NormalSubstitutionNode): acc.append("[Normal Substitution(index={}, type={})]".format( node.index(), node.type())) elif isinstance(node, e_nodes.ConditionalSubstitutionNode): acc.append("[Conditional Substitution(index={}, type={})]".format( node.index(), node.type())) elif isinstance(node, e_nodes.StreamStartNode): pass # intended acc = [] for c in root_node.template().children(): rec(c, acc) return "".join(acc) python-evtx-0.7.4/Evtx/__init__.py000066400000000000000000000014541402613732500170750ustar00rootroot00000000000000# This file is part of python-evtx. # # Copyright 2012 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. __all__ = [ 'Evtx', 'BinaryParser', 'Nodes', 'Views', ] python-evtx-0.7.4/LICENSE.TXT000066400000000000000000000261361402613732500155250ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. python-evtx-0.7.4/README.md000066400000000000000000000101171402613732500153110ustar00rootroot00000000000000python-evtx =========== Introduction ------------ python-evtx is a pure Python parser for recent Windows Event Log files (those with the file extension ".evtx"). The module provides programmatic access to the File and Chunk headers, record templates, and event entries. For example, you can use python-evtx to review the event logs of Windows 7 systems from a Mac or Linux workstation. The structure definitions and parsing strategies were heavily inspired by the work of Andreas Schuster and his Perl implementation "Parse-Evtx". Background ---------- With the release of Windows Vista, Microsoft introduced an updated event log file format. The format used in Windows XP was a circular buffer of record structures that each contained a list of strings. A viewer resolved templates hosted in system library files and inserted the strings into appropriate positions. The newer event log format is proprietary binary XML. Unpacking chunks from an event log file from Windows 7 results in a complete XML document with a variable schema. The changes helped Microsoft tune the file format to real-world uses of event logs, such as long running logs with hundreds of megabytes of data, and system independent template resolution. Related Work ------------ Andreas Schuster released the first public description of the .evtx file format in 2007. He is the author of the thorough document "Introducing the Microsoft Vista event log file format" that describes the motivation and details of the format. Mr. Schuster also maintains the Perl implementation of a parser called "Parse-Evtx". I referred to the source code of this library extensively during the development of python-evtx. Joachim Metz also released a cross-platform, LGPL licensed C++ based parser in 2011. His document "Windows XML Event Log (EVTX): Analysis of EVTX" provides a detailed description of the structures and context of newer event log files. Dependencies ------------ python-evtx works on both the 2.7 and 3.x versions of the Python programming language. As it is purely Python, the module works equally well across platforms. The code does not depend on any modules that require separate compilation; however, if you have lxml installed, its even nicer. python-evtx operates on event log files from Windows operating systems newer than Windows Vista. These files typically have the file extension .evtx. Version 5.09 of the `file` utility identifies such a file as "MS Vista Windows Event Log". To manual confirm the file type, look for the ASCII string "ElfFile" in the first seven bytes: willi/evtx » xxd -l 32 Security.evtx 0000000: 456c 6646 696c 6500 0000 0000 0000 0000 ElfFile......... 0000010: d300 0000 0000 0000 375e 0000 0000 0000 ........7^...... Examples -------- Provided with the parsing module `Evtx` are three scripts that mimic the tools distributed with Parse-Evtx. `evtxinfo.py` prints metadata about the event log and verifies the checksums of each chunk. `evtxtemplates.py` builds and prints the templates used throughout the event log. Finally, `evtxdump.py` parses the event log and transforms the binary XML into a human readable ASCII XML format. Note the length of the `evtxdump.py` script: its only 20 lines. Now, review the contents and notice the complete implementation of the logic: print(e_views.XML_HEADER) print('') for record in log.records: print(record.xml()) print('') Working with python-evtx is really easy! Installation ------------ Updates to python-evtx are pushed to PyPi, so you can install the module using either `easy_install` or `pip`. For example, you can use `pip` like so: pip install python-evtx The source code for python-evtx is hosted at Github, and you may download, fork, and review it from this repository (http://www.github.com/williballenthin/python-evtx). Please report issues or feature requests through Github's bug tracker associated with the project. License ------- python-evtx is licensed under the Apache License, Version 2.0. This means it is freely available for use and modification in a personal and professional capacity. python-evtx-0.7.4/scripts/000077500000000000000000000000001402613732500155215ustar00rootroot00000000000000python-evtx-0.7.4/scripts/evtx_dates.py000066400000000000000000000034111402613732500202400ustar00rootroot00000000000000#!/usr/bin/env python from lxml import etree from datetime import datetime from Evtx.Evtx import Evtx from Evtx.Views import evtx_file_xml_view def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"): return node.find("%s%s" % (ns, tag)) def to_lxml(record_xml): return etree.fromstring("%s" % record_xml.encode('utf-8')) def xml_records(filename): with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e def parsed_date(dstr): ts = None try: ts = datetime.strptime(dstr, '%Y-%m-%d %H:%M:%S') except ValueError: ts = datetime.strptime(dstr, '%Y-%m-%d %H:%M:%S.%f') return ts def event_in_daterange(d, start, end): is_in_range = True if d < start: is_in_range = False if d > end: is_in_range = False return is_in_range def matching_records(evtfile, sdatetime, edatetime): for node, err in xml_records(evtfile): if err is not None: continue else: sys = get_child(node, "System") t = parsed_date(get_child(sys, "TimeCreated").get("SystemTime")) if event_in_daterange(t, sdatetime, edatetime): yield node def main(): import argparse parser = argparse.ArgumentParser() parser.add_argument("evtfile", type=str) parser.add_argument("start", type=parsed_date, help="Start date/time YYYY-mm-dd HH:MM:SS(.f)") parser.add_argument("-e", dest="end", type=parsed_date, help="End date/time YYYY-mm-dd HH:MM:SS(.f)", default=datetime.now()) args = parser.parse_args() for record in matching_records(args.evtfile, args.start, args.end): print(etree.tostring(record, pretty_print=True)) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_dump.py000077500000000000000000000025111402613732500201100ustar00rootroot00000000000000#!/usr/bin/env python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v0.1.1 import Evtx.Evtx as evtx import Evtx.Views as e_views def main(): import argparse parser = argparse.ArgumentParser( description="Dump a binary EVTX file into XML.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: print(e_views.XML_HEADER) print("") for record in log.records(): print(record.xml()) print("") if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_dump_chunk_slack.py000077500000000000000000000032451402613732500224620ustar00rootroot00000000000000#!/usr/bin/env python # This file is part of python-evtx. # # Copyright 2015 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import mmap import sys import contextlib import argparse from Evtx.Evtx import FileHeader def main(): parser = argparse.ArgumentParser( description="Dump the slack space of an EVTX file.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with open(args.evtx, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for chunk in fh.chunks(): chunk_start = chunk.offset() last_allocated_offset = chunk_start for record in chunk.records(): last_allocated_offset = record.offset() + record.size() sys.stdout.write(buf[last_allocated_offset:chunk_start + 0x10000]) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_eid_record_numbers.py000077500000000000000000000016341402613732500230020ustar00rootroot00000000000000#!/usr/bin/env python import lxml.etree import Evtx.Evtx as evtx from filter_records import get_child def main(): import argparse parser = argparse.ArgumentParser( description="Print the record numbers of EVTX log entries " "that match the given EID.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("eid", type=int, help="The EID of records to extract") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: for record in log.records(): try: node = record.lxml() except lxml.etree.XMLSyntaxError: continue if args.eid != int(get_child(get_child(node, "System"), "EventID").text): continue print(record.record_num()) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_extract_record.py000077500000000000000000000026661402613732500221660ustar00rootroot00000000000000#!/usr/usr/bin/env python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v.0.1 import Evtx.Evtx as evtx def main(): import argparse parser = argparse.ArgumentParser( description="Write the raw data for a EVTX record to STDOUT") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("record", type=int, help="The record number of the record to extract") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: record = log.get_record(args.record) if record is None: raise RuntimeError("Cannot find the record specified.") print(record.data()) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_filter_records.py000077500000000000000000000033711402613732500221560ustar00rootroot00000000000000#!/usr/bin/env python from lxml import etree #import xml.etree.cElementTree as etree from Evtx.Evtx import Evtx from Evtx.Views import evtx_file_xml_view def to_lxml(record_xml): """ @type record: Record """ return etree.fromstring("%s" % record_xml) def xml_records(filename): """ If the second return value is not None, then it is an Exception encountered during parsing. The first return value will be the XML string. @type filename str @rtype: generator of (etree.Element or str), (None or Exception) """ with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"): """ @type node: etree.Element @type tag: str @type ns: str """ return node.find("%s%s" % (ns, tag)) def main(): import argparse parser = argparse.ArgumentParser( description="Print only entries from an EVTX file with a given EID.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("eid", type=int, help="The EID of records to print") args = parser.parse_args() for node, err in xml_records(args.evtx): if err is not None: continue sys = get_child(node, "System") if args.eid == int(get_child(sys, "EventID").text): print(etree.tostring(node, pretty_print=True)) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_info.py000066400000000000000000000105751402613732500201040ustar00rootroot00000000000000#!/usr/bin/env python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v0.1 import Evtx.Evtx as evtx def main(): import argparse parser = argparse.ArgumentParser( description="Dump information about an EVTX file.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: fh = log.get_file_header() print("Information from file header:") print(("Format version : %d.%d" % (fh.major_version(), fh.minor_version()))) print(("Flags : 0x%08x" % (fh.flags()))) dirty_string = "clean" if fh.is_dirty(): dirty_string = "dirty" print(("File is : %s" % (dirty_string))) full_string = "no" if fh.is_full(): full_string = "yes" print(("Log is full : %s" % (full_string))) print(("Current chunk : %d of %d" % (fh.current_chunk_number(), fh.chunk_count()))) print(("Oldest chunk : %d" % (fh.oldest_chunk() + 1))) print(("Next record# : %d" % (fh.next_record_number()))) checksum_string = "fail" if fh.calculate_checksum() == fh.checksum(): checksum_string = "pass" print(("Check sum : %s" % (checksum_string))) print("") if fh.is_dirty(): chunk_count = sum([1 for c in fh.chunks() if c.verify()]) last_chunk = None for chunk in fh.chunks(): if not chunk.verify(): continue last_chunk = chunk next_record_num = last_chunk.log_last_record_number() + 1 print("Suspected updated header values (header is dirty):") print(("Current chunk : %d of %d" % (chunk_count, chunk_count))) print(("Next record# : %d" % (next_record_num))) print("") print("Information from chunks:") print(" Chunk file (first/last) log (first/last) Header Data") print("- ----- --------------------- --------------------- ------ ------") for (i, chunk) in enumerate(fh.chunks(include_inactive=True), 1): note_string = " " if i == fh.current_chunk_number() + 1: note_string = "*" elif i == fh.oldest_chunk() + 1: note_string = ">" if not chunk.check_magic(): try: magic = chunk.magic() except UnicodeDecodeError: magic = "" if magic == "\x00\x00\x00\x00\x00\x00\x00\x00": print("%s %4d [EMPTY]" % (note_string, i)) else: print("%s %4d [INVALID]" % (note_string, i)) continue header_checksum_string = "fail" if chunk.calculate_header_checksum() == chunk.header_checksum(): header_checksum_string = "pass" data_checksum_string = "fail" if chunk.calculate_data_checksum() == chunk.data_checksum(): data_checksum_string = "pass" print("%s %4d %8d %8d %8d %8d %s %s" % (note_string, i, chunk.file_first_record_number(), chunk.file_last_record_number(), chunk.log_first_record_number(), chunk.log_last_record_number(), header_checksum_string, data_checksum_string)) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_record_structure.py000077500000000000000000000063741402613732500225540ustar00rootroot00000000000000#!/usr/bin/env python import hexdump import Evtx.Evtx as evtx from Evtx.Nodes import RootNode from Evtx.Nodes import BXmlTypeNode from Evtx.Nodes import TemplateInstanceNode from Evtx.Nodes import VariantTypeNode def describe_root(record, root, indent=0, suppress_values=False): """ Args: record (Evtx.Record): indent (int): """ def format_node(n, extra=None, indent=0): """ Depends on closure over `record` and `suppress_values`. Args: n (Evtx.Nodes.BXmlNode): extra (str): Returns: str: """ ret = "" indent_s = ' ' * indent name = n.__class__.__name__ offset = n.offset() - record.offset() if extra is not None: ret = "%s%s(offset=%s, %s)" % (indent_s, name, hex(offset), extra) else: ret = "%s%s(offset=%s)" % (indent_s, name, hex(offset)) if not suppress_values and isinstance(n, VariantTypeNode): ret += " --> %s" % (n.string()) if isinstance(n, BXmlTypeNode): ret += "\n" ret += describe_root(record, n._root, indent=indent + 1) return ret def rec(node, indent=0): """ Args: node (Evtx.Nodes.BXmlNode): indent (int): Returns: str: """ ret = "" if isinstance(node, TemplateInstanceNode): if node.is_resident_template(): extra = "resident=True, length=%s" % (hex(node.template().data_length())) ret += "%s\n" % (format_node(node, extra=extra, indent=indent)) ret += rec(node.template(), indent=indent + 1) else: ret += "%s\n" % (format_node(node, extra="resident=False", indent=indent)) else: ret += "%s\n" % (format_node(node, indent=indent)) for child in node.children(): ret += rec(child, indent=indent + 1) if isinstance(node, RootNode): ofs = node.tag_and_children_length() indent_s = ' ' * (indent + 1) offset = node.offset() - record.offset() + ofs ret += "%sSubstitutions(offset=%s)\n" % (indent_s, hex(offset)) for sub in node.substitutions(): ret += "%s\n" % (format_node(sub, indent=indent + 2)) return ret ret = "" ret += rec(root, indent=indent) return ret def main(): import argparse parser = argparse.ArgumentParser( description="Pretty print the binary structure of an EVTX record.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("record", type=int, help="Record number") parser.add_argument("--suppress_values", action="store_true", help="Do not print the values of substitutions.") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: hexdump.hexdump(log.get_record(args.record).data()) record = log.get_record(args.record) print("record(absolute_offset=%s)" % record.offset()) print(describe_root(record, record.root(), suppress_values=args.suppress_values)) print(record.xml()) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_record_template.py000077500000000000000000000013401402613732500223130ustar00rootroot00000000000000#!/usr/bin/env python import Evtx.Evtx as evtx import Evtx.Views as e_views def main(): import argparse parser = argparse.ArgumentParser( description="Print the structure of an EVTX record's template.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("record", type=int, help="Record number") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: r = log.get_record(args.record) if r is None: print("error: record not found") return -1 else: print(e_views.evtx_template_readable_view(r.root())) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_structure.py000077500000000000000000000146341402613732500212140ustar00rootroot00000000000000#!/usr/bin/env python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import Evtx.Evtx as evtx import Evtx.Nodes as e_nodes class EvtxFormatter(object): def __init__(self): super(EvtxFormatter, self).__init__() self._indent_stack = [] self._indent_unit = " " def _indent(self): self._indent_stack.append(self._indent_unit) def _dedent(self): if len(self._indent_stack) > 0: self._indent_stack = self._indent_stack[:-1] def save_indent(self): return self._indent_stack[:] def restore_indent(self, indent): self._indent_stack = indent def _l(self, s): return "".join(self._indent_stack) + s def format_header(self, fh): yield self._l("File header") self._indent() yield self._l("magic: %s" % (fh.magic())) for num_field in [ "oldest_chunk", "current_chunk_number", "next_record_number", "header_size", "minor_version", "major_version", "header_chunk_size", "chunk_count", "flags", "checksum"]: yield self._l("%s: %s" % (num_field, hex(getattr(fh, num_field)()))) yield self._l("verify: %s" % (fh.verify())) yield self._l("dirty: %s" % (fh.is_dirty())) yield self._l("full: %s" % (fh.is_full())) for chunk in fh.chunks(): for line in self.format_chunk(chunk): yield line self._dedent() def format_chunk(self, chunk): yield self._l("Chunk") self._indent() yield self._l("offset: %s" % (hex(chunk.offset()))) yield self._l("magic: %s" % (chunk.magic())) for num_field in [ "file_first_record_number", "file_last_record_number", "log_first_record_number", "log_last_record_number", "header_size", "last_record_offset", "next_record_offset", "data_checksum", "header_checksum"]: yield self._l("%s: %s" % (num_field, hex(getattr(chunk, num_field)()))) yield self._l("verify: %s" % (chunk.verify())) yield self._l("templates: %d" % (len(chunk.templates()))) for record in chunk.records(): for line in self.format_record(record): yield line self._dedent() def format_record(self, record): yield self._l("Record") self._indent() yield self._l("offset: %s" % (hex(record.offset()))) yield self._l("magic: %s" % (hex(record.magic()))) yield self._l("size: %s" % (hex(record.size()))) yield self._l("number: %s" % (hex(record.record_num()))) yield self._l("timestamp: %s" % (record.timestamp())) yield self._l("verify: %s" % (record.verify())) try: s = self.save_indent() for line in self.format_node(record, record.root()): yield line except Exception as e: self.restore_indent(s) yield "ERROR: " + str(e) self._dedent() def _format_node_name(self, record, node, extra=None): """ note: this doesn't yield, it returns """ line = "" if extra is not None: line = "%s(offset=%s, %s)" % (node.__class__.__name__, hex(node.offset() - record.offset()), extra) else: line = "%s(offset=%s)" % (node.__class__.__name__, hex(node.offset() - record.offset())) if isinstance(node, e_nodes.VariantTypeNode): line += " --> %s" % (node.string()) if isinstance(node, e_nodes.OpenStartElementNode): line += " --> %s" % (node.tag_name()) if isinstance(node, e_nodes.AttributeNode): line += " --> %s" % (node.attribute_name().string()) return line def format_node(self, record, node): extra = None if isinstance(node, e_nodes.TemplateInstanceNode) and node.is_resident_template(): extra = "resident=True, length=%s" % (hex(node.template().data_length())) elif isinstance(node, e_nodes.TemplateInstanceNode): extra = "resident=False" yield self._l(self._format_node_name(record, node, extra=extra)) if isinstance(node, e_nodes.BXmlTypeNode): self._indent() for line in self.format_node(record, node._root): yield line self._dedent() elif isinstance(node, e_nodes.TemplateInstanceNode) and node.is_resident_template(): self._indent() for line in self.format_node(record, node.template()): yield line self._dedent() self._indent() for child in node.children(): for line in self.format_node(record, child): yield line self._dedent() if isinstance(node, e_nodes.RootNode): ofs = node.tag_and_children_length() yield self._l("Substitutions(offset=%s)" % (hex(node.offset() - record.offset() + ofs))) self._indent() for sub in node.substitutions(): for line in self.format_node(record, sub): yield line self._dedent() def main(): import argparse parser = argparse.ArgumentParser( description="Dump the structure of an EVTX file.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: formatter = EvtxFormatter() for line in formatter.format_header(log.get_file_header()): print(line) if __name__ == "__main__": main() python-evtx-0.7.4/scripts/evtx_templates.py000077500000000000000000000030131402613732500211370ustar00rootroot00000000000000#!/usr/bin/env python # This file is part of python-evtx. # # Copyright 2012, 2013 Willi Ballenthin # while at Mandiant # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Version v0.1 import Evtx.Evtx as evtx import Evtx.Views as e_views def main(): import argparse parser = argparse.ArgumentParser( description="Dump templates from a binary EVTX file.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with evtx.Evtx(args.evtx) as log: for i, chunk in enumerate(log.chunks()): for template in list(chunk.templates().values()): print("Template {%s} at chunk %d, offset %s" % (template.guid(), i, hex(template.absolute_offset(0x0)))) print(e_views.evtx_template_readable_view(template)) if __name__ == "__main__": main() python-evtx-0.7.4/setup.py000066400000000000000000000036361402613732500155540ustar00rootroot00000000000000#!/usr/bin/env python import setuptools long_description = """python-evtx is a pure Python parser for \ Windows Event Log files (those with the file extension ".evtx"). \ The module provides programmatic access to the File and Chunk headers, \ record templates, and event entries. For example, you can use \ python-evtx to review the event logs of Windows 7 systems from \ a Mac or Linux workstation. The structure definitions and parsing \ strategies were heavily inspired by the work of Andreas Schuster \ and his Perl implementation "Parse-Evtx".""" setuptools.setup( name="python-evtx", version="0.7.4", description="Pure Python parser for recent Windows event log files (.evtx).", long_description=long_description, author="Willi Ballenthin", author_email="willi.ballenthin@gmail.com", url="https://github.com/williballenthin/python-evtx", license="Apache 2.0 License", packages=setuptools.find_packages(), install_requires=[ 'six', 'hexdump==3.3', # pin deps for python 2, see #67 'more_itertools==5.0.0', 'zipp==1.0.0', 'configparser==4.0.2', 'pyparsing==2.4.7', ], extras_require={ # For running unit tests & coverage "test": [ 'pytest-cov==2.11.1', 'pytest==4.6.11', 'lxml==4.6.3', ] }, scripts=['scripts/evtx_dump.py', 'scripts/evtx_dump_chunk_slack.py', 'scripts/evtx_eid_record_numbers.py', 'scripts/evtx_extract_record.py', 'scripts/evtx_filter_records.py', 'scripts/evtx_info.py', 'scripts/evtx_record_structure.py', 'scripts/evtx_structure.py', 'scripts/evtx_templates.py', ], ) python-evtx-0.7.4/tests/000077500000000000000000000000001402613732500151745ustar00rootroot00000000000000python-evtx-0.7.4/tests/data/000077500000000000000000000000001402613732500161055ustar00rootroot00000000000000python-evtx-0.7.4/tests/data/dns_log_malformed.evtx000066400000000000000000002100001402613732500224610ustar00rootroot00000000000000ElfFile€š#ElfChnk€¸8õc‘תŒ«(d- ujU =½˜P0"ŸyEæÁøï MÙ<E  **€ ÊÎmr:Ò ãhV&ãhVh4þE &å>þ)j˯šðÅi{vÜÿÿÐ- AÿÿU =TCP Aÿÿ-U = InterfaceIP Aÿÿ#U =Source AÿÿU =RD Aÿÿ!U =QNAME Aÿÿ!U =QTYPE AÿÿU =XID AÿÿU =Port Aÿÿ!U =Flags Aÿÿ+U = BufferSize Aÿÿ+U = PacketData    %193.1.36.1210.9.15.202b._dns-sd._udp.@¦5. wÕ%wb_dns-sd_udp@¦5  X**€ÊÎmr:Ò ãhV&  Ä!€ÊÎmr:Ò˜Ô`Žõ‡ÖÑ  W  0202.12.27.330.0.0.0b._dns-sd._udp.@¦5. ÎL.Default0LÎb_dns-sd_udp@¦5 ) €€**`ÊÎmr:Ò ãhV&  ¤!€ÊÎmr:Ò˜ÔaŽõ‡ÖÑ å>þE   %193.1.36.1210.9.15.202r._dns-sd._udp.@¦5. OÆî%Or_dns-sd_udp@¦5 `**€ ãhV&  Ã!€ÊÎmr:Ò˜ÔbŽõ‡ÖÑ  W  0199.7.91.130.0.0.0r._dns-sd._udp.@¦5. ,Ñ.Default0Ñ,r_dns-sd_udp@¦5 ) €€ŠoDataK•NameRCODE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ5ŠoDataK•NameScope Aÿÿ3ŠoDataK•NameZone Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    Œ193.1.36.1310.7.13.30ph.yahoo.com.3ÑÚ€Default..CacheŒ3€phyahoocomÀ ,media-router-rc1prodmediaÀÀ*ò(oob-media-router-rc1prodmediawg1bÀÀT#Ù % q¥ … m  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  !€žkyq:Òl¤oúº ®ŽðßûSK9¥]VûÂaÖÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ1ŠoDataK•NameXID Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    0193.1.36.1310.7.13.30oob-media-router-rc1.prod.media.wg1.b.yahoo.com.ÑÚ€33€phyahoocom p› { c  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  †!€žkyq:Òl¤núº ®ŽðßûSK9¥]VûÂaÖÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ1ŠoDataK•NameXID Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    &193.1.36.1310.7.13.30media-router-rc1.prod.media.yahoo.com.ÑÚ€33€phyahoocom ovA !  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  ,! €žkyq:Òl¤múº ûþ¤•~iÇdz£gÊvúªÿÿ„D‚ EventDataAÿÿ1ŠoDataK•NameTCP Aÿÿ7ŠoDataK•NameSource AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData   ý68.142.255.160.0.0.0ph.yahoo.com.g„.Defaultýg„phyahoocomÀ ,media-router-rc1prodmediaÀÀ*(oob-media-router-rc1prodmediawg1bÀÀt£yf4a1byahoonetÀt£yf1ÀÀt£yf3ÀŒÀt£yf2ÀÀ¨Q€DŽþÀÌQ€D´‚)ø€ n<    vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  '!€žkyq:Òl¤lúº WAm‚0áõkÜ„ÜdÿÿXD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name Destination AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    )68.142.255.160.0.0.0ph.yahoo.com.g.Default)gphyahoocom) € m‚ b J  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  m!€žkyq:Òl¤kúº å>þ)j˯šðÅi{vÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData     193.1.36.1310.7.13.30ph.yahoo.com.3ÑÚ3phyahoocom l<    vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  '!€žkyq:Òl¤júº WAm‚0áõkÜ„ÜdÿÿXD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name Destination AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    )68.180.131.160.0.0.0nz.yahoo.com.&.Default)&nzyahoocom) € k‚ b J  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  m!€žkyq:Òl¤iúº å>þ)j˯šðÅi{vÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData     193.1.36.1310.7.13.30nz.yahoo.com.~Þç~nzyahoocom jV 6   vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  A!€„§yq:Òl¤húº ¿AŒÑÎdòb˜«v>íüÿÿðD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP AÿÿAŠoData)K•Name Destination Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ7ŠoDataK•NameDNSSEC Aÿÿ5ŠoDataK•NameRCODE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ5ŠoDataK•NameScope Aÿÿ3ŠoDataK•NameZone Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    Œ193.1.36.1310.7.13.30id.yahoo.com.›™>Ý€Default..CacheŒ™›€idyahoocomÀ ,media-router-fp1prodmediaÀÀ*,(oob-media-router-fp1prodmediawg1bÀÀT,¼}P ià £ ‹  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  ®! €„§yq:Òl¤gúº ûþ¤•~iÇdz£gÊvúªÿÿ„D‚ EventDataAÿÿ1ŠoDataK•NameTCP Aÿÿ7ŠoDataK•NameSource AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData  0\68.180.130.150.0.0.0oob-media-router-fp1.prod.media.wg1.b.yahoo.com.QÕ„.Default\ÕQ„oob-media-router-fp1prodmediawg1byahoocomÀ ,¼}P)€ h ‚ b J  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  m!€Eyq:Òl¤fúº WAm‚0áõkÜ„ÜdÿÿXD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name Destination AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData   0L68.180.130.150.0.0.0oob-media-router-fp1.prod.media.wg1.b.yahoo.com.QÕ.DefaultLÕQoob-media-router-fp1prodmediawg1byahoocom) € g¥ … m  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  !€Eyq:Òl¤eúº ®ŽðßûSK9¥]VûÂaÖÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ1ŠoDataK•NameXID Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    0193.1.36.1310.7.13.30oob-media-router-fp1.prod.media.wg1.b.yahoo.com.>Ý€›™™›€idyahoocom fr› { c  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  †!€Eyq:Òl¤dúº ®ŽðßûSK9¥]VûÂaÖÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ1ŠoDataK•NameXID Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    &193.1.36.1310.7.13.30media-router-fp1.prod.media.yahoo.com.>Ý€›™™›€idyahoocom e A !  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  ,! €Eyq:Òl¤cúº ûþ¤•~iÇdz£gÊvúªÿÿ„D‚ EventDataAÿÿ1ŠoDataK•NameTCP Aÿÿ7ŠoDataK•NameSource AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData   ý68.180.131.160.0.0.0id.yahoo.com.mP„.DefaultýPm„idyahoocomÀ ,media-router-fp1prodmediaÀÀ*,(oob-media-router-fp1prodmediawg1bÀÀt£yf4a1byahoonetÀt£yf1ÀÀt£yf2ÀÀt£yf3ÀŒÀ¨Q€DŽþÀºQ€D´‚)ø€ d<    vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  '!€ãyq:Òl¤búº WAm‚0áõkÜ„ÜdÿÿXD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name Destination AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    )68.180.131.160.0.0.0id.yahoo.com.mP.Default)Pmidyahoocom) € c‚ b J  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  m!€ãyq:Òl¤aúº å>þ)j˯šðÅi{vÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData     193.1.36.1310.7.13.30id.yahoo.com.›™>Ý™›idyahoocom bí Í µ  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  Ø!€Ì»ûxq:Òl¤`úº ¿AŒÑÎdòb˜«v>íüÿÿðD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP AÿÿAŠoData)K•Name Destination Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ7ŠoDataK•NameDNSSEC Aÿÿ5ŠoDataK•NameRCODE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ5ŠoDataK•NameScope Aÿÿ3ŠoDataK•NameZone Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    ,193.1.36.1310.7.17.3tpn134.com.ÝPXÄ„DefaultNULL,PÝ„tpn134comÀ ,­àNð al L 4  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  W! €Ì»ûxq:Òl¤_úº ûþ¤•~iÇdz£gÊvúªÿÿ„D‚ EventDataAÿÿ1ŠoDataK•NameTCP Aÿÿ7ŠoDataK•NameSource AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData   ,64.99.96.360.0.0.0tpn134.com.â„.Default,â„tpn134comÀ ,­àNð `#  ë  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  !€Ì»ûxq:Òl¤^úº ¿AŒÑÎdòb˜«v>íüÿÿðD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP AÿÿAŠoData)K•Name Destination Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ7ŠoDataK•NameDNSSEC Aÿÿ5ŠoDataK•NameRCODE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ5ŠoDataK•NameScope Aÿÿ3ŠoDataK•NameZone Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    Y193.1.36.1310.7.13.30au.yahoo.com.”"î€Default..CacheY"”€auyahoocomÀ ,fd-fp2wg1bÀÀ*<.ä/sÀ*<.ä/r _Œ l T  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  w!€Ì»ûxq:Òl¤]úº ®ŽðßûSK9¥]VûÂaÖÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ1ŠoDataK•NameXID Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    193.1.36.1310.7.13.30fd-fp2.wg1.b.yahoo.com.""”€auyahoocom ^þ Þ Æ  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  é! €Ì»ûxq:Òl¤\úº ûþ¤•~iÇdz£gÊvúªÿÿ„D‚ EventDataAÿÿ1ŠoDataK•NameTCP Aÿÿ7ŠoDataK•NameSource AÿÿAŠoData)K•Name InterfaceIP Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags AÿÿAŠoData)K•Name ServerScope Aÿÿ?ŠoData'K•Name CacheScope Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData   º68.180.131.160.0.0.0au.yahoo.com.Ží„.DefaultºíŽ„auyahoocomÀ ,fd-fp2wg1bÀÀ1£yf1ÀÀ1£yf2ÀÀ1£yf4a1byahoonetÀ1£yf3ÀmÀEQ€DŽþÀWQ€D´‚)ø€ ]K +   vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  6!€Ì»ûxq:Òl¤[úº ¿AŒÑÎdòb˜«v>íüÿÿðD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP AÿÿAŠoData)K•Name Destination Aÿÿ/ŠoDataK•NameAA Aÿÿ/ŠoDataK•NameAD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ1ŠoDataK•NameXID Aÿÿ7ŠoDataK•NameDNSSEC Aÿÿ5ŠoDataK•NameRCODE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ5ŠoDataK•NameScope Aÿÿ3ŠoDataK•NameZone Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData   ~193.1.36.1310.7.17.3cdn.ideamelt.com.¦?ïÓ€Default..Cache~?¦€cdnideameltcomÀ +2cdnideameltcoms3-website-us-west-2 amazonawsÀÀ.;À?Àl6ç±+ \› { c  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  †!€Ì»ûxq:Òl¤Zúº ®ŽðßûSK9¥]VûÂaÖÌÿÿÀD‚ EventDataAÿÿ1ŠoDataK•NameTCP AÿÿAŠoData)K•Name InterfaceIP Aÿÿ7ŠoDataK•NameSource Aÿÿ/ŠoDataK•NameRD Aÿÿ5ŠoDataK•NameQNAME Aÿÿ5ŠoDataK•NameQTYPE Aÿÿ3ŠoDataK•NamePort Aÿÿ5ŠoDataK•NameFlags Aÿÿ1ŠoDataK•NameXID Aÿÿ?ŠoData'K•Name BufferSize Aÿÿ?ŠoData'K•Name PacketData    #"193.1.36.1310.7.17.3s3-website-us-west-2.amazonaws.com.ïÓ€¦?"?¦€cdnideameltcom [d D ,  vŸÔÓiéɨèIÁÓ›†1A%º Event¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ…oTSystemAÿÿÃñ{Provider¨FK•NameMicrosoft-Windows-DNSServer)Guid&{eb79061a-a566-4698-9119-3ed2807060e7}A=õaEventID)Ú Qualifiers  Version dÎLevelE{Task®OpcodejÏKeywordsAÿÿ@;Ž TimeCreated<{ SystemTime &F EventRecordID Aÿÿm¢ò CorrelationLF ñ ActivityID5ÅRelatedActivityIDAÿÿò¸µ ExecutionÕF × ProcessIDF…9ThreadID FÑà SessionID FÍÉ ProcessorIDFjé KernelTimeFxÊUserTime_ ProcessorTime ÿÿfƒaChannel&Microsoft-Windows-DNSServer/Analyticalÿÿ:;nComputerITBDNS04.itb.ieAÿÿ2 .SecurityfLUserID !  O! €Ì»ûxq:Òl¤Yúº ûþpython-evtx-0.7.4/tests/data/issue_38.evtx000066400000000000000000002100001402613732500204500ustar00rootroot00000000000000ElfFile€ÿÐElfChnk€ =è|Ç#ÊÖóèþ=΃÷¦›f?øm©MFº¯** JâëÒ 쪤©&쪤©G†y)¿gǤ†úVGŠA~Mº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÎøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿ6F‘;nComputer foobar-PCAÿÿBƒ .Security¦fLUserID ! Fy!1@ €øMnñáëÒð8µEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«¯&®x«C‚Å“Â-žhÿÿ\ÖD‚ EventDataAÿÿEþΊoData%=SubjectUserSid Aÿÿ5þ'=SubjectUserName Aÿÿ9þ+=SubjectDomainName Aÿÿ3þ%=SubjectLogonId Aÿÿ1þ#= PrivilegeList  qõ±Ï jy“+ŒO»éfoobarfoobar-PC¯ÓSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeo TrustedInstaller/4€**(ÊRë³hoèëÒ åkoX& y!|@€€ë³hoèëÒèÜ ÊR ÞáÜ48:  Cliché instantané des volumesarrêté VSS/1prv/(**XËRë…²ÚèëÒ åkoX& ¯!|@€€ë…²ÚèëÒè´ËR ÞáÜ48l Fournisseur de cliché instantané de logiciel Microsoftarrêtéswprv/1X**ˆÌRköCvéëÒ åkoX&  Í!€@€€köCvéëÒèH ÌR cÒ3cÒ3þœ ©™Î}²F±ôºÿÿ®_Aÿÿ#‡=param1 Aÿÿ#‡=param2 Aÿÿ#‡=param3 Aÿÿ#‡=param4 b,* Programme d installation pour les modules WindowsDémarrage à la demandeDémarrage automatiqueTrustedInstaller autˆ**°ÍR‡DRvéëÒ åkoX&  û!€@€€‡DRvéëÒèH ÍR cÒ3b*, Programme d installation pour les modules WindowsDémarrage automatiqueDémarrage à la demandeTrustedInstallert°**hÎR•kYvéëÒ åkoX& »!|@€€•kYvéëÒèH ÎR ÞáÜ48b &Programme d installation pour les modules Windowsarrêté&TrustedInstaller/1Ah**ØÏRu—zìëÒ 쪤©–쪤©G†y)¿gǤ†úVGêAÞMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿVøAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿ+ foobar-PCAÿÿh ‹ !  J Å! €u—zìëÒô|ÏRMicrosoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!‹%ö$!R\FC ƒ;úKÀÿÿ´_Aÿÿ7‡)=schedinstalldate Aÿÿ7‡)=schedinstalltime Aÿÿ+‡= updatelist . – samedi  24  juin  201703:00 - Mise à jour pour Microsoft Visual Studio 2010 Service Pack 1 (KB2890573)Ø**8ÐRá8Ú(íëÒ åkoX& ‹!|@€€á8Ú(íëÒèä ÐR ÞáÜ48*(Protection logicielleen cours d exécutionsppsvc/48**ÀÑR^)íëÒ åkoX& !|@€€^)íëÒè¸ÑR ÞáÜ48š(,Service de découverte automatique de Proxy Web pour les services HTTP Windowsen cours d exécution,WinHttpAutoProxySvc/4À**ÒR«1æÛíëÒ åkoX& o!|@€€«1æÛíëÒèÈÒR ÞáÜ48* Protection logiciellearrêtésppsvc/1**¨ÓRawïëÒ åkoX& ù!|@€€awïëÒèH ÓR ÞáÜ48š ,Service de découverte automatique de Proxy Web pour les services HTTP Windowsarrêté,WinHttpAutoProxySvc/1¨**ÀÔRÕ[ŽóüëÒ åkoX& !|@€€Õ[ŽóüëÒè0 ÔR ÞáÜ48š(,Service de découverte automatique de Proxy Web pour les services HTTP Windowsen cours d exécution,WinHttpAutoProxySvc/4À**¨ÕRÕ^¤AÿëÒ åkoX& ù!|@€€Õ^¤AÿëÒèÌ ÕR ÞáÜ48š ,Service de découverte automatique de Proxy Web pour les services HTTP Windowsarrêté,WinHttpAutoProxySvc/1¨**XÖR€§‡¦ìÒ  èŽ!8 è‰Ùt0*ñÉéÆbƒo—A‹Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿøAÿÿ"=EventLogAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿ+ foobar-PCAÿÿh ‹ ! !}€€€§‡¦ìÒÖR FÓìÈ#FÓì%g>¶9×{p(é4ÿÿ(_ ‡ í>T1654960-60 Paris, MadridT1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_ldr.170512-060053c1377aNot AvailableNot Available91409640cfoobar-PCX**À×R%»QŸ ìÒ åkoX& !|@€€%»QŸ ìÒè°×R ÞáÜ48š(,Service de découverte automatique de Proxy Web pour les services HTTP Windowsen cours d exécution,WinHttpAutoProxySvc/4À**¨ØR%¾gí ìÒ åkoX& ù!|@€€%¾gí ìÒèà ØR ÞáÜ48š ,Service de découverte automatique de Proxy Web pour les services HTTP Windowsarrêté,WinHttpAutoProxySvc/1¨**PÙR'‹hìÒ åkoX& ¡!|@€€'‹hìÒè< ÙR ÞáÜ48>(Service Google Update (gupdate)en cours d exécutiongupdate/4P**ÀÚR÷!žhìÒ åkoX& !|@€€÷!žhìÒèÜÚR ÞáÜ48š(,Service de découverte automatique de Proxy Web pour les services HTTP Windowsen cours d exécution,WinHttpAutoProxySvc/4À**0ÛRaâÿhìÒ åkoX& …!|@€€aâÿhìÒèÜÛR ÞáÜ48> Service Google Update (gupdate)arrêtégupdate/10**¨ÜR÷$´¶ìÒ åkoX& ù!|@€€÷$´¶ìÒè°ÜR ÞáÜ48š ,Service de découverte automatique de Proxy Web pour les services HTTP Windowsarrêté,WinHttpAutoProxySvc/1¨**XÝRÃãÄìÒ 쪤©–  P =!΀ÃãÄìÒ¨(ÝRMicrosoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&Îî/0Ý&ÎîË|Ö Žp)·cîÿÿ_X**HÞR ÃŽìÒ åkoX& ›!|@€€ ÃŽìÒèT ÞR ÞáÜ480(Expérience d applicationen cours d exécutionAeLookupSvc/4H**XßR"Âä“ìÒ åkoX& ©!|@€€"Âä“ìÒèèßR ÞáÜ48H(Service de rapport d erreurs Windowsen cours d exécutionWerSvc/4X**8àR ØiÚìÒ åkoX& !|@€€ ØiÚìÒèäàR ÞáÜ48H Service de rapport d erreurs WindowsarrêtéWerSvc/18**ÀáRˆ·#&ìÒ åkoX& !|@€€ˆ·#&ìÒèäáR ÞáÜ48š(,Service de découverte automatique de Proxy Web pour les services HTTP Windowsen cours d exécution,WinHttpAutoProxySvc/4À**(âR±–ÃþìÒ åkoX& !|@€€±–ÃþìÒèèâR ÞáÜ480 Expérience d applicationarrêtéAeLookupSvc/1(**¨ãRô¸ßìÒ åkoX& ù!|@€€ô¸ßìÒèT ãR ÞáÜ48š ,Service de découverte automatique de Proxy Web pour les services HTTP Windowsarrêté,WinHttpAutoProxySvc/1¨**ðäRWÜ>ìÒ >Ïšæö8>ÏšæñÊ"%ÀÀŸÜA‰Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿøAÿÿ =BROWSERAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿ+ foobar-PCAÿÿh ‹ ! ™!a@€WÜ>ìÒäR FÓìÈ#v\Device\NetBT_Tcpip_{B5B7D17E-ACFA-48A9-BB2D-FEBBDA292144}ð**°åR˜{ @ìÒ åkoX&  õ!‚@€€˜{ @ìÒèÐ åR ÏS”}<ÏS”IHuéQ"u¶ÇÆ––äÿÿØ_Aÿÿ#‡=param1 Aÿÿ#‡=param2 Aÿÿ#‡=param3 Aÿÿ#‡=param4 Aÿÿ#‡=param5 :l Assistance NetBIOS sur TCP/IPArrêter0x40030011Système d exploitation: Connectivité réseau (Planifié)Aucun°**0æR˜{ @ìÒ åkoX& !|@€€˜{ @ìÒèÐ æR ÞáÜ48: Assistance NetBIOS sur TCP/IParrêtélmhosts/10**¸çRƒ‰ïÒ 쪤©–  @ ­!€ƒ‰ïÒœ¸çRMicrosoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ¯@–z <ÕÐ!ö{ôA²»Äjÿÿ^_Aÿÿ%‡=NewTime Aÿÿ%‡=OldTime ƒ‰ïÒ¦@ìÒ¸**@èR –BïÒ åkoX& •!|@€€ –BïÒèà èR ÞáÜ48:( Cliché instantané des volumesen cours d exécution VSS/4@**xéRrLïÒ åkoX& Ë!|@€€rLïÒèÐ éR ÞáÜ48l(Fournisseur de cliché instantané de logiciel Microsoften cours d exécutionswprv/4x**HêRÚÕ†ïÒ åkoX& !|@€€ÚÕ†ïÒèà êR ÞáÜ48:(Assistance NetBIOS sur TCP/IPen cours d exécutionlmhosts/4H**ÀëRžøêïÒ åkoX& !|@€€žøêïÒèÐ ëR ÞáÜ48š(,Service de découverte automatique de Proxy Web pour les services HTTP Windowsen cours d exécution,WinHttpAutoProxySvc/4À**€ìRÚ\ ïÒ åkoX& ×!|@€€Ú\ ïÒèÐ ìR ÞáÜ48b(&Programme d installation pour les modules Windowsen cours d exécution&TrustedInstaller/4€**ðíR¢í. ïÒ ù['¾Hù['ùïà°¸Öx•?óú•A‰Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿøAÿÿ =volsnapAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿ+ foobar-PCAÿÿh ‹ ! •!!@€¢í. ïÒ@íR FÓìÈ#J(\Device\HarddiskVolumeShadowCopy1C:(0!@ð**8îRôTÆïÒ åkoX& ‰!|@€€ôTÆïÒèà îR ÞáÜ48"(Windows Installeren cours d exécutionmsiserver/48**èïRÌ2WïÒ 쪤©–  J Ñ! (€Ì2WïÒôÄïRMicrosoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem  ùõ\ÙM ùõ\pT¶ûNŠØl‚Aîÿÿâ_Aÿÿ)‡= errorCode Aÿÿ-‡= updateTitle Aÿÿ+‡= updateGuid Aÿÿ?‡1=updateRevisionNumber C€Mise à jour pour Microsoft Visual Studio 2010 Service Pack 1 (KB2890573)Öän2²hD–q*数ÃÈèpython-evtx-0.7.4/tests/data/issue_39.evtx000066400000000000000000040100001402613732500204530ustar00rootroot00000000000000ElfFile ‹€ háKÈElfChnkii€ÀýÈÿ¥Wö‚…ÞwIóèF=Î÷²›f?øm©MFºù ÷&þQ**¨®–¤…ˆÓÑ „eR&„eR¶Pý•gëZÉJ–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-QVEQEK7H2OMAÿÿB .Security²fLUserID !  0Hµ!eè@®–¤…ˆÓÑ`ˆ)F"8hMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷<¥Ž"!²âÄkt':îA!ÆÿÿºD‚ EventDataAÿÿ;FΊoData= Operation Aÿÿ%F=Details Aÿÿ#F=Status  ˜Service startedThe service will auto stop if no requests received for some period of time.¨**î1؈ÓÑ „eR&  0H½!á@@î1؈ÓÑ°ƒ5F"@Ç5F"8hMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ Ìä¼ä£ç¼ÔõˆýŠÏ˜xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode WLIDCreateContext_€€**Xˆ*2؈ÓÑ „eR&  0H!ì@ˆ*2؈ÓÑôQeˆÓRReˆÓÑ°ðMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù ¯Ú[ƳµÊîz~´î#xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandle_€€X**ÈÏË2؈ÓÑ „eR&  0H!ì@ÏË2؈ÓÑôQeˆÓRReˆÓÑ°ðMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù dWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::RetrieveDeviceData߀È**xÉ֖؈ÓÑ „eR&  0H-!á@@É֖؈ÓÑôQeˆÓRReˆÓÑ8hMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContext_€€x**Èï1žØˆÓÑ „eR&  0H€!ì@ï1žØˆÓÑôQeˆÓÅReˆÓÑ°ðMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandle_€€È**È`2žØˆÓÑ „eR&  0H!ì@`2žØˆÓÑôQeˆÓÅReˆÓÑ°ðMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù dWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::RetrieveDeviceData߀È**0÷ƒóˆÓÑ ÉQmþÉQmÙÔú\ëWb«mÆßöAêMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿbøAÿÿF=XAz › Î  ÷  ? fAÿÿ‘ º è AÿÿFFm Aÿÿ©FÎó  ÿÿ(FDESKTOP-CH5HRODAÿÿ ² !  0H×!eè@÷ƒóˆÓÑ`ˆiºQ0XMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷ ˜Service startedThe service will auto stop if no requests received for some period of time.0**¸ ‹ þ‰ÓÑ ÉQmþ  0Hq!ã @‹ þ‰ÓÑ`ˆiºQ0X Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Qñ *"Û5IE‰/<‘rEst:ÿÿ.Aÿÿ!F=Value  ****************¸**ø áÂþ‰ÓÑ ÉQmþ  0H²!ã @áÂþ‰ÓÑ`ˆiºQ0X Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**ø ‹…ÿ‰ÓÑ ÉQmþ  0H²!ã @‹…ÿ‰ÓÑ`ˆiºQ0X Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x ¹ ‰ÓÑ ÉQmþ  0H-!á@@¹ ‰ÓÑ`ˆiºQ0X Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È ò‰ÓÑ ÉQmþ  0H€!ì@ò‰ÓÑøÌ#êˆÓzÎ#êˆÓÑ”P Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**hÓ¬‰ÓÑ ÉQmþ  0H!ã @Ó¬‰ÓÑøÌ#êˆÓzÎ#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø®à‰ÓÑ ÉQmþ  0H²!ã @®à‰ÓÑøÌ#êˆÓzÎ#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**h½çà$‰ÓÑ ÉQmþ  0H!ã @½çà$‰ÓÑøÌ#êˆÓzÎ#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øáá$‰ÓÑ ÉQmþ  0H²!ã @áá$‰ÓÑøÌ#êˆÓzÎ#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xØá$‰ÓÑ ÉQmþ  0H-!á@@Øá$‰ÓÑøÌ#êˆÓzÎ#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**Ȳá$‰ÓÑ ÉQmþ  0H€!ì@²á$‰ÓÑøÌ#êˆÓöÎ#êˆÓÑ Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**hU£LL‰ÓÑ ÉQmþ  0H!ã @U£LL‰ÓÑ`ˆiºQ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øµML‰ÓÑ ÉQmþ  0H²!ã @µML‰ÓÑ`ˆiºQ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xpML‰ÓÑ ÉQmþ  0H-!á@@pML‰ÓÑ`ˆiºQ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈlML‰ÓÑ ÉQmþ  0H€!ì@lML‰ÓÑøÌ#êˆÓ Ï#êˆÓÑ Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**hÂÜS‰ÓÑ ÉQmþ  0H!ã @ÂÜS‰ÓÑøÌ#êˆÓ Ï#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø¹úS‰ÓÑ ÉQmþ  0H²!ã @¹úS‰ÓÑøÌ#êˆÓ Ï#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x¨I‚S‰ÓÑ ÉQmþ  0H-!á@@¨I‚S‰ÓÑøÌ#êˆÓ Ï#êˆÓÑ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È£P‚S‰ÓÑ ÉQmþ  0H€!ì@£P‚S‰ÓÑøÌ#êˆÓÏ#êˆÓÑ Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**¸@â²Ð‰ÓÑ ÉQmþ  0Hq!eè@@â²Ð‰ÓÑøÌ#êˆÓÏ#êˆÓÑ0HMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷ 2Service stoppedThe service has stopped.¸** Œ¨ó‰ÓÑ ÉQmþ  0H×!eè@Œ¨ó‰ÓÑ`ˆiºQ0PMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷ ˜Service startedThe service will auto stop if no requests received for some period of time. **h¹¼ó‰ÓÑ ÉQmþ  0H!ã @¹¼ó‰ÓÑ`ˆiºQ08Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øᓽó‰ÓÑ ÉQmþ  0H²!ã @ᓽó‰ÓÑ`ˆiºQ08Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**h bÂó‰ÓÑ ÉQmþ  0H!ã @bÂó‰ÓÑ`ˆiºQ0X Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø!sÌÂó‰ÓÑ ÉQmþ  0H²!ã @sÌÂó‰ÓÑ`ˆiºQ0X!Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**"îÃó‰ÓÑ ÉQmþ 0H²!ã @îÃó‰ÓÑ`ˆiºQ0X"©Ž²CÊßk÷.VDèMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****#@:Åó‰ÓÑ ÉQmþ 0H²!ã @@:Åó‰ÓÑ`ˆiºQ0X#©Ž²CÊßk÷.VDèMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****h$ÆÔÈó‰ÓÑ ÉQmþ  0H!ã @ÆÔÈó‰ÓÑ`ˆiºQ0P$Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø%!ŒÉó‰ÓÑ ÉQmþ  0H²!ã @!ŒÉó‰ÓÑ`ˆiºQ0P%Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**h&àÿÍó‰ÓÑ ÉQmþ  0H!ã @àÿÍó‰ÓÑ`ˆiºQ0P&Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø'"Îó‰ÓÑ ÉQmþ  0H²!ã @"Îó‰ÓÑ`ˆiºQ0P'Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x(:1Îó‰ÓÑ ÉQmþ  0H-!á@@:1Îó‰ÓÑ`ˆiºQ0P(Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È)t=Îó‰ÓÑ ÉQmþ  0H€!ì@t=Îó‰ÓÑøÌ#êˆÓÖ#êˆÓÑt)Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**h*¸ÉWù‰ÓÑ ÉQmþ  0H!ã @¸ÉWù‰ÓÑ5ò‚ýã¶M·³‘!˜w 0ô*Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø+(ìWù‰ÓÑ ÉQmþ  0H²!ã @(ìWù‰ÓÑ5ò‚ýã¶M·³‘!˜w 0ô+Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**,W^Xù‰ÓÑ ÉQmþ 0H²!ã @W^Xù‰ÓÑ5ò‚ýã¶M·³‘!˜w 0ô,©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****-—ÂXù‰ÓÑ ÉQmþ 0H²!ã @—ÂXù‰ÓÑ5ò‚ýã¶M·³‘!˜w 0ô-©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****h.Ÿ»/-ŠÓÑ ÉQmþ  0H!ã @Ÿ»/-ŠÓÑÌ‹3GzG»Ç’¡‰\ëº0P.Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø/bÛ/-ŠÓÑ ÉQmþ  0H²!ã @bÛ/-ŠÓÑÌ‹3GzG»Ç’¡‰\ëº0P/Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x0"é/-ŠÓÑ ÉQmþ  0H-!á@@"é/-ŠÓÑÌ‹3GzG»Ç’¡‰\ëº0P0Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È1Ní/-ŠÓÑ ÉQmþ  0H€!ì@Ní/-ŠÓÑøÌ#êˆÓù#êˆÓÑ` 1Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È** 2êô ¢Ò ÉQmþ  0H×!eè@êô ¢Ò`ˆ}‹T2Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷ ˜Service startedThe service will auto stop if no requests received for some period of time. **h3Ò>¡¢Ò ÉQmþ  0H!ã @Ò>¡¢Ò`ˆ}‹œ3Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø4B%>¡¢Ò ÉQmþ  0H²!ã @B%>¡¢Ò`ˆ}‹œ4Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**h5²•?¡¢Ò ÉQmþ  0H!ã @²•?¡¢Ò`ˆ}‹5Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø65;@¡¢Ò ÉQmþ  0H²!ã @5;@¡¢Ò`ˆ}‹6Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**h7CB¡¢Ò ÉQmþ  0H!ã @CB¡¢Ò`ˆ}‹œ7Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø8êSB¡¢Ò ÉQmþ  0H²!ã @êSB¡¢Ò`ˆ}‹œ8Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x9[B¡¢Ò ÉQmþ  0H-!á@@[B¡¢Ò`ˆ}‹œ9Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È:9¯B¡¢Ò ÉQmþ  0H€!ì@9¯B¡¢Ò eGœ¢gGœ¢ÒÌü:Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**h;ŽO¢¢Ò ÉQmþ  0H!ã @ŽO¢¢Òu5N0ª@«ž•ûƒÎVHô;Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**ø<,O¢¢Ò ÉQmþ  0H²!ã @,O¢¢Òu5N0ª@«ž•ûƒÎVHô<Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**=ßnO¢¢Ò ÉQmþ 0H²!ã @ßnO¢¢Òu5N0ª@«ž•ûƒÎVHô=©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****>Ô¢O¢¢Ò ÉQmþ 0H²!ã @Ô¢O¢¢Òu5N0ª@«ž•ûƒÎVHô>©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****x?ÿ]¬¤¢Ò ÉQmþ  0H/!á@@ÿ]¬¤¢Ò`ˆ}‹<?Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCleanupIdentityW€x**h@…Öà¨¢Ò ÉQmþ  0H!ã @…ÖਢÒ`ˆ}‹ô@Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øAíà¨¢Ò ÉQmþ  0H²!ã @íਢÒ`ˆ}‹ôAMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xBÇóà¨¢Ò ÉQmþ  0H-!á@@ÇóਢÒ`ˆ}‹ôBMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈC*÷à¨¢Ò ÉQmþ  0H€!ì@*÷à¨¢Ò eGœ¢3lGœ¢ÒÌüCMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**øDÏÃ¢Ò ÉQmþ  0H²!ã @ÏÃ¢Ò eGœ¢3lGœ¢Ò<DMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xE_ôÃ¢Ò ÉQmþ  0H-!á@@_ôÃ¢Ò eGœ¢3lGœ¢Ò<EMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈFøÃ¢Ò ÉQmþ  0H€!ì@øÃ¢Ò eGœ¢ yGœ¢Ò üFMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**hGÒ=Pã¢Ò ÉQmþ  0H!ã @Ò=Pã¢Ò&š«Ä<M¼—(Ôþi‹GMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øHOPã¢Ò ÉQmþ  0H²!ã @OPã¢Ò&š«Ä<M¼—(Ôþi‹HMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xI)UPã¢Ò ÉQmþ  0H-!á@@)UPã¢Ò&š«Ä<M¼—(Ôþi‹IMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈJðXPã¢Ò ÉQmþ  0H€!ì@ðXPã¢Ò eGœ¢)–Gœ¢ÒÌx JMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**hKé™ä¢Ò ÉQmþ  0H!ã @é™ä¢Ò`ˆ}‹¸KMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øLÊ­ä¢Ò ÉQmþ  0H²!ã @Ê­ä¢Ò`ˆ}‹¸LMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xMr¶ä¢Ò ÉQmþ  0H-!á@@r¶ä¢Ò`ˆ}‹¸MMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈNš¸ä¢Ò ÉQmþ  0H€!ì@š¸ä¢Ò eGœ¢CœGœ¢ÒÌèNMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**øOZ€•$¢Ò ÉQmþ  0H²!ã @Z€•$¢Ò eGœ¢CœGœ¢ÒOMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xPˆ•$¢Ò ÉQmþ  0H-!á@@ˆ•$¢Ò eGœ¢CœGœ¢ÒPMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈQ Š•$¢Ò ÉQmþ  0H€!ì@ Š•$¢Ò eGœ¢VœGœ¢ÒðlQMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**øRæué%¢Ò ÉQmþ  0H²!ã @æué%¢Ò eGœ¢VœGœ¢ÒRMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xSÄ}é%¢Ò ÉQmþ  0H-!á@@Ä}é%¢Ò eGœ¢VœGœ¢ÒSMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈT¼é%¢Ò ÉQmþ  0H€!ì@¼é%¢Ò eGœ¢bœGœ¢Òœ TMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**hUºt¹)¢Ò ÉQmþ  0H!ã @ºt¹)¢Ò eGœ¢bœGœ¢Ò<UMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øVÀ)¢Ò ÉQmþ  0H²!ã @À)¢Ò eGœ¢bœGœ¢Ò<VMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xWhÀ)¢Ò ÉQmþ  0H-!á@@hÀ)¢Ò eGœ¢bœGœ¢Ò<WMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**ÈXœÀ)¢Ò ÉQmþ  0H€!ì@œÀ)¢Ò eGœ¢mœGœ¢ÒÌüXMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**øY´7ë‘¢Ò ÉQmþ  0H²!ã @´7ë‘¢Ò÷s'7ãÒáH¤T)6Ê»À<YMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**xZ¶@ë‘¢Ò ÉQmþ  0H-!á@@¶@ë‘¢Ò÷s'7ãÒáH¤T)6Ê»À<ZMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È[”Bë‘¢Ò ÉQmþ  0H€!ì@”Bë‘¢Ò eGœ¢ «Gœ¢ÒŒ $ [Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**ø\òø£¢Ò ÉQmþ  0H²!ã @òø£¢Òp:„‹Ú…‹<\Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x]æ#ø£¢Ò ÉQmþ  0H-!á@@æ#ø£¢Òp:„‹Ú…‹<]Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**È^ç%ø£¢Ò ÉQmþ  0H€!ì@ç%ø£¢Ò eGœ¢9«Gœ¢ÒÌ^Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**ø_¸u¢Ò ÉQmþ  0H²!ã @¸u¢Òp:„‹Ú…‹T_Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**x`[ u¢Ò ÉQmþ  0H-!á@@[ u¢Òp:„‹Ú…‹T`Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äñ WLIDCreateContextiˆ€x**Èa u¢Ò ÉQmþ  0H€!ì@ u¢Ò eGœ¢–¬Gœ¢Òì ÀaMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[ù eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**¸báAÂq¢Ò ÉQmþ  0Hq!eè@áAÂq¢ÒèbMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷ 2Service stoppedThe service has stopped.¸** cB‰²¸¢Ò ÉQmþ  0H×!eè@B‰²¸¢Ò`ˆ}‹TcMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"÷ ˜Service startedThe service will auto stop if no requests received for some period of time. **hdQŸ¢Ò ÉQmþ  0H!ã @QŸ¢Ò`ˆ}‹¸dMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øe¶è¹¸¢Ò ÉQmþ  0H²!ã @¶è¹¸¢Ò`ˆ}‹¸eMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**hfÁ_»¸¢Ò ÉQmþ  0H!ã @Á_»¸¢Ò`ˆ}‹hfMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5Q ****************h**øgÆn»¸¢Ò ÉQmþ  0H²!ã @Æn»¸¢Ò`ˆ}‹hgMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ø**hU˜»¸¢Ò ÉQmþ 0H²!ã @U˜»¸¢Ò`ˆ}‹hh©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ****ib¿»¸¢Ò ÉQmþ 0H²!ã @b¿»¸¢Ò`ˆ}‹hi©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5QŸ**ElfChnkj‘j‘€úèû”ºaYiÂ}óèF=Î÷²›f?øm©MFºA™&9b**˜ jò/½¸¢Ò ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0HŸ!ã @ò/½¸¢Ò`ˆ}‹TjMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value  ****************WLIDCre˜ **øk›G½¸¢Ò ÉQm&  0H²!ã @›G½¸¢Ò`ˆ}‹TkMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ**ø**hlÓ²¾¸¢Ò ÉQm&  0H!ã @Ó²¾¸¢Ò`ˆ}‹TlMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ ****************h**øma¾¸¢Ò ÉQm&  0H²!ã @a¾¸¢Ò`ˆ}‹TmMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ**Lø**n—Ⱦ¸¢Ò ÉQm&  0H½!á@@—Ⱦ¸¢Ò`ˆ}‹TnMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä9÷Ìä¼ä£ç¼ÔõˆýŠÏ˜xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode WLIDCreateContextiˆ€Î**XoµÊ¾¸¢Ò ÉQm&  0H!ì@µÊ¾¸¢Ò eGœ¢^´Gœ¢ÒÌpoMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[A¯Ú[ƳµÊîz~´î#xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode eWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€ceX**Ðp Ë­¢rºÒ ÉQm&  0H‡!eè@ Ë­¢rºÒ`ˆ“õHpMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"™<¥Ž"!²âÄkt':îA!˜ÿÿŒAÿÿ)F= Operation Aÿÿ%F=Details Aÿÿ#F=Status  ˜Service startedThe service will auto stop if no requests received for some period of time.Ð**°qÌ(å¢rºÒ ÉQm&  0Hg!ã @Ì(å¢rºÒ`ˆ“õøqMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷T******************°**ør1áå¢rºÒ ÉQm&  0H²!ã @1áå¢rºÒ`ˆ“õørMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ**ø**sJ9æ¢rºÒ ÉQm& 0H²!ã @J9æ¢rºÒ`ˆ“õøs©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ****tÞnæ¢rºÒ ÉQm& 0H²!ã @Þnæ¢rºÒ`ˆ“õøt©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ****°u€®ù¢rºÒ ÉQm&  0Hg!ã @€®ù¢rºÒ`ˆ“õŒuMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷T******************°**øv*ú¢rºÒ ÉQm&  0H²!ã @*ú¢rºÒ`ˆ“õŒvMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ**ø**°wüFü¢rºÒ ÉQm&  0Hg!ã @üFü¢rºÒ`ˆ“õŒwMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷T******************°**øx[ü¢rºÒ ÉQm&  0H²!ã @[ü¢rºÒ`ˆ“õŒxMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ**ø**xyÈeü¢rºÒ ÉQm&  0H-!á@@Èeü¢rºÒ`ˆ“õŒyMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä9WLIDCreateContextiˆ€x**Èz°pü¢rºÒ ÉQm&  0H€!ì@°pü¢rºÒQû¡›rº(ý¡›rºÒô´zMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ¯Ú[AeWindows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::SetupIdentityHandleiˆ€È**°{:Éý¢rºÒ ÉQm&  0Hg!ã @:Éý¢rºÒQû¡›rº(ý¡›rºÒÀ{Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷T******************°**ø|oÜý¢rºÒ ÉQm&  0H²!ã @oÜý¢rºÒQû¡›rº(ý¡›rºÒÀ|Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ÿ**ø**°}kAÓ¥rºÒ ÉQm&  0Hg!ã @kAÓ¥rºÒ`ˆ“õ}Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷T******************°**€~¿Üà§rºÒ ÉQm&  0H6!ä @¿Üà§rºÒ`ˆ“õ~Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷#*************BL2IDSLGN2A009 2017.03.19.10.39.41€**` ­ðè§rºÒ ÉQm&  0H!ã @­ðè§rºÒ`ˆ“õMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷***********2017-04-21T08:41:17Z2017-04-21T08:46:17Z*****http://Passport.NET/tb` **( €z$æ¨rºÒ ÉQm&  0Hà !ä @z$æ¨rºÒ`ˆ“õ€Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Í **2017-04-21T08:41:18Z2017-04-21T08:46:18Z**16.000.26889.00**0x488030x0BL2IDSLGN1F028 2017.03.19.10.39.41**********urn:passport:legacyhttp://Passport.NET/tb2017-04-21T08:41:18Z2017-07-20T08:41:18Z****( **ÈÑè¨rºÒ ÉQm&  0H‚!å @Ñè¨rºÒ`ˆ“õMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öbŽ½öÆW^KrˆQ’Î8ØÿÿÌAÿÿ-F= ResourceURI Aÿÿ%F=Created Aÿÿ%F=Expires Aÿÿ)F= TokenType Aÿÿ/F!= AuthRequired Aÿÿ1F#= RequestStatus Aÿÿ+F= HasFlowUrl  Aÿÿ+F= HasAuthUrl  Aÿÿ1F#= HasEndAuthUrl      http://Passport.NET/tbá )á )urn:passport:legacyÈ**` ‚?ë¨rºÒ ÉQm&  0H!ã @?ë¨rºÒ`ˆ“õø‚Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷***********2017-04-21T08:41:19Z2017-04-21T08:46:19Z*****http://Passport.NET/tb` **( ƒ¹FÈ©rºÒ ÉQm&  0Hà !ä @¹FÈ©rºÒ`ˆ“õøƒMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Í **2017-04-21T08:41:20Z2017-04-21T08:46:20Z**16.000.26889.00**0x488030x0BL2IDSLGN1H022 2017.03.19.10.39.41**********urn:passport:legacyhttp://Passport.NET/tb2017-04-21T08:41:20Z2017-07-20T08:41:20Z****( **Ø„¸.É©rºÒ ÉQm&  0H’!å @¸.É©rºÒ`ˆ“õø„Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öb    http://Passport.NET/tbá )á )urn:passport:legacyØ**° …ÊÌ©rºÒ ÉQm&  0Hh!ã @ÊÌ©rºÒ`ˆ“õø…Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷U***********2017-04-21T08:41:20Z2017-04-21T08:46:20Z*****http://Passport.NET/tb° **x †¨àÌ©rºÒ ÉQm&  0H1 !ã @¨àÌ©rºÒ`ˆ“õ  †Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:20Z2017-04-21T08:46:20Z*****https://vortex-win.data.microsoft.comx **x ‡öXΩrºÒ ÉQm&  0H2 !ã @öXΩrºÒ`ˆ“õ ‡Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:20Z2017-04-21T08:46:20Z*****https://watson.telemetry.microsoft.comx ** ˆvlƒªrºÒ ÉQm&  0HV!ä @vlƒªrºÒ`ˆ“õ  ˆMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:21Z2017-04-21T08:46:21Z********** **艓ƒªrºÒ ÉQm&  0H¢!å @“ƒªrºÒ`ˆ“õ  ‰Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öb &   https://vortex-win.data.microsoft.comá )á )urn:passport:compactè** ŠªrºÒ ÉQm&  0HV!ä @ªrºÒ`ˆ“õ ŠMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:21Z2017-04-21T08:46:21Z********** **苇äªrºÒ ÉQm&  0H£!å @‡äªrºÒ`ˆ“õ ‹Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öb '   https://watson.telemetry.microsoft.comá )á )urn:passport:compactè**x ŒÀ «rºÒ ÉQm&  0H1 !ã @À «rºÒ`ˆ“õt ŒMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:22Z2017-04-21T08:46:22Z*****https://vortex-win.data.microsoft.comx **( ±“«rºÒ ÉQm&  0Hà !ä @±“«rºÒ`ˆ“õøMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Í **2017-04-21T08:41:23Z2017-04-21T08:46:23Z**16.000.26889.00**0x488030x0BL2IDSLGN2A029 2017.03.19.10.39.41**********urn:passport:legacyhttp://Passport.NET/tb2017-04-21T08:41:23Z2017-07-20T08:41:21Z****( **ØŽ\½“«rºÒ ÉQm&  0H’!å @\½“«rºÒ`ˆ“õøŽMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öb    http://Passport.NET/tbá )á )urn:passport:legacyØ**H $.—«rºÒ ÉQm&  0H !ã @$.—«rºÒ`ˆ“õ  Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:41:23Z2017-04-21T08:46:23Z*****www.microsoft.comH ** _xÌ«rºÒ ÉQm&  0HV!ä @_xÌ«rºÒ`ˆ“õt Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:24Z2017-04-21T08:46:24Z********** **è‘ò—Ì«rºÒ ÉQm&  0H¢!å @ò—Ì«rºÒ`ˆ“õt ‘Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öb &   https://vortex-win.data.microsoft.comá )á )urn:passport:compactè ÉQm&  0Hä @Ë y¬rºÒ`ˆ“õ  ’Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷CElfChnk’«’«€°ù˜û¯àœéey=6óèF=Î÷²›f?øm©MFº&Ê**È’Ë y¬rºÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0HÖ!ä @Ë y¬rºÒ`ˆ“õ  ’Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value C**2017-04-21T08:41:25Z2017-04-21T08:46:25Z**********È**È“y¬rºÒ ÉQm&  0H~!å @y¬rºÒ`ˆ“õ  “Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öŽ½öÆW^KrˆQ’Î8ØÿÿÌAÿÿ-F= ResourceURI Aÿÿ%F=Created Aÿÿ%F=Expires Aÿÿ)F= TokenType Aÿÿ/F!= AuthRequired Aÿÿ1F#= RequestStatus Aÿÿ+F= HasFlowUrl  Aÿÿ+F= HasAuthUrl  Aÿÿ1F#= HasEndAuthUrl      www.microsoft.comá )á )urn:passport:compactvicÈ**H ”kT~¬rºÒ ÉQm&  0H !ã @kT~¬rºÒ`ˆ“õ  ”Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:41:26Z2017-04-21T08:46:26Z*****www.microsoft.comcH ** •îPh­rºÒ ÉQm&  0HV!ä @îPh­rºÒÐ4$“õç%“õ  •Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:26Z2017-04-21T08:46:26Z**********{ **Ø–2eh­rºÒ ÉQm&  0HŽ!å @2eh­rºÒÐ4$“õç%“õ  –Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    www.microsoft.comá )á )urn:passport:compacteviceIØ**H —ÆÝs­rºÒ ÉQm&  0H !ã @ÆÝs­rºÒÐ4$“õç%“õ  —Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:41:26Z2017-04-21T08:46:26Z*****www.microsoft.comsH ** ˜½mŠ®rºÒ ÉQm&  0HV!ä @½mŠ®rºÒÿˆ“õ  ˜Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:28Z2017-04-21T08:46:28Z**********ˆ **Ø™>Š®rºÒ ÉQm&  0HŽ!å @>Š®rºÒÿˆ“õ  ™Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    www.microsoft.comá )á )urn:passport:compact8Z************2017-04-21T08:41:30Z2017-04-21T08:46:30Z*****www.microsoft.comeH **x ›Å̯rºÒ ÉQm&  0H1 !ã @Å̯rºÒ`ˆ“õ ›Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:30Z2017-04-21T08:46:30Z*****https://vortex-win.data.microsoft.com-Lx **x œÜT°rºÒ ÉQm&  0H2 !ã @ÜT°rºÒ`ˆ“õt œMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:30Z2017-04-21T08:46:30Z*****https://watson.telemetry.microsoft.comx ** -±rºÒ ÉQm&  0HV!ä @-±rºÒíSyËé¼G”d éaYì Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:32Z2017-04-21T08:46:32Z************2017-04-21T08:41:32Z2017-04-21T08:46:32Z**********d>**************2017-04-21T08:41:32Z2017-04-21T08:46:32Z*****user.auth.xboxlive.comhtˆ ** ¢·TŒ²rºÒ ÉQm&  0HV!ä @·TŒ²rºÒÐ4$“õç%“õt ¢Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:33Z2017-04-21T08:46:33Z**********Digest **è£`hŒ²rºÒ ÉQm&  0H£!å @`hŒ²rºÒÐ4$“õç%“õt £Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá )!á )!urn:passport:compacttè**x ¤D>ȵrºÒ ÉQm&  0H2 !ã @D>ȵrºÒÐ4$“õç%“õø¤Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:38Z2017-04-21T08:46:38Z*****https://watson.telemetry.microsoft.com:Cx **¥]üÿ¶rºÒ ÉQm&  0H½!á@@]üÿ¶rºÒÐ4$“õç%“õ  ¥Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äÊ÷Ìä¼ä£ç¼ÔõˆýŠÏ˜xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode WLIDCreateContext €€nc#sha2**x¦D2·rºÒ ÉQm&  0H-!á@@D2·rºÒÐ4$“õç%“õ¦Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äÊWLIDCreateContext €€="http:x**H §7‚·rºÒ ÉQm&  0H !ã @7‚·rºÒÐ4$“õç%“õ¤ §Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:41:41Z2017-04-21T08:46:41Z*****www.microsoft.com/H ** ¨“| ¸rºÒ ÉQm&  0HV!ä @“| ¸rºÒÐ4$“õç%“õ ¨Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:40Z2017-04-21T08:46:40Z**********estMet **Ø©ù™ ¸rºÒ ÉQm&  0H“!å @ù™ ¸rºÒÐ4$“õç%“õ ©Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    user.auth.xboxlive.comá )(á )(urn:passport:compact_Ø** ª2ÿ%¾rºÒ ÉQm&  0HV!ä @2ÿ%¾rºÒÐ4$“õç%“õøªMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:41:51Z2017-04-21T08:46:51Z**********ipherV **è«ð&¾rºÒ ÉQm&  0H£!å @ð&¾rºÒÐ4$“õç%“õø«Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá )3á )3urn:passport:compactcèElfChnk¬Ä¬Ä€ØýÀÿ9tiò¯óèF=Î÷²›f?øm©MFº&÷**Ȭ[59ÂrºÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0HÖ!ä @[59ÂrºÒÐ4$“õç%“õ¤ ¬Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value C**2017-04-21T08:41:55Z2017-04-21T08:46:55Z**********È**È­UL9ÂrºÒ ÉQm&  0H~!å @UL9ÂrºÒÐ4$“õç%“õ¤ ­Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öŽ½öÆW^KrˆQ’Î8ØÿÿÌAÿÿ-F= ResourceURI Aÿÿ%F=Created Aÿÿ%F=Expires Aÿÿ)F= TokenType Aÿÿ/F!= AuthRequired Aÿÿ1F#= RequestStatus Aÿÿ+F= HasFlowUrl  Aÿÿ+F= HasAuthUrl  Aÿÿ1F#= HasEndAuthUrl      www.microsoft.comá )7á )7urn:passport:compactvicÈ**x ®K¢eÄrºÒ ÉQm&  0H1 !ã @K¢eÄrºÒÐ4$“õç%“õŒ®Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:41:59Z2017-04-21T08:46:59Z*****https://vortex-win.data.microsoft.comx **° ¯ámÄrºÒ ÉQm&  0Hh!ã @ámÄrºÒÐ4$“õç%“õ ¯Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷U***********2017-04-21T08:41:59Z2017-04-21T08:46:59Z*****http://Passport.NET/tbrans° **x °ÆÙäÇrºÒ ÉQm&  0H2 !ã @ÆÙäÇrºÒÐ4$“õç%“õ  °Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:42:04Z2017-04-21T08:47:04Z*****https://watson.telemetry.microsoft.comrex **H ±ÔêÌrºÒ ÉQm&  0H !ã @ÔêÌrºÒÐ4$“õç%“õH±Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:42:13Z2017-04-21T08:47:13Z*****www.microsoft.com>H ** ²û·ÎrºÒ ÉQm&  0HV!ä @û·ÎrºÒÐ4$“õç%“õŒ²Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:20Z2017-04-21T08:47:20Z**********:Secur **è³è)·ÎrºÒ ÉQm&  0H¢!å @è)·ÎrºÒÐ4$“õç%“õŒ³Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö &   https://vortex-win.data.microsoft.comá *á *urn:passport:compactdeè**( ´‡<ëÎrºÒ ÉQm&  0Hà !ä @‡<ëÎrºÒÐ4$“õç%“õ ´Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Í **2017-04-21T08:42:17Z2017-04-21T08:47:17Z**16.000.26889.00**0x488030x0BL2IDSLGN1F009 2017.03.19.10.39.41**********urn:passport:legacyhttp://Passport.NET/tb2017-04-21T08:42:17Z2017-07-20T08:42:17Z****ce><( **صÐìÎrºÒ ÉQm&  0H’!å @ÐìÎrºÒÐ4$“õç%“õ µMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    http://Passport.NET/tbá *á *urn:passport:legacynsØ** ¶;²;ÐrºÒ ÉQm&  0HV!ä @;²;ÐrºÒÐ4$“õç%“õ  ¶Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:22Z2017-04-21T08:47:22Z********** URI=" **è·ÛÅ;ÐrºÒ ÉQm&  0H£!å @ÛÅ;ÐrºÒÐ4$“õç%“õ  ·Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá *á *urn:passport:compactè**x ¸c°yÓrºÒ ÉQm&  0H2 !ã @c°yÓrºÒܹu‹[~F­©QÉŸaˆüø¸Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:42:28Z2017-04-21T08:47:28Z*****https://watson.telemetry.microsoft.comtpx ** ¹¯L|ÖrºÒ ÉQm&  0HV!ä @¯L|ÖrºÒܹu‹[~F­©QÉŸaˆüH¹Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:30Z2017-04-21T08:47:30Z**********Key">< **غ/a|ÖrºÒ ÉQm&  0HŽ!å @/a|ÖrºÒܹu‹[~F­©QÉŸaˆüHºMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    www.microsoft.comá *á *urn:passport:compact="httpØ**x »ùRŠÖrºÒ ÉQm&  0H1 !ã @ùRŠÖrºÒÐ4$“õç%“õH»Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:42:30Z2017-04-21T08:47:30Z*****https://vortex-win.data.microsoft.comencx ** ¼£8ÚrºÒ ÉQm&  0HV!ä @£8ÚrºÒªkò.ë±DK¡¶ò7p<\¯ø¼Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:40Z2017-04-21T08:47:40Z**********rence> **轞»8ÚrºÒ ÉQm&  0H£!å @ž»8ÚrºÒªkò.ë±DK¡¶ò7p<\¯ø½Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá *(á *(urn:passport:compactyè** ¾`¿ÛrºÒ ÉQm&  0HV!ä @`¿ÛrºÒªkò.ë±DK¡¶ò7p<\¯H¾Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:43Z2017-04-21T08:47:43Z**********>*************2017-04-21T08:42:43Z2017-04-21T08:47:43Z*****https://watson.telemetry.microsoft.comhox **H ÁKkÜrºÒ ÉQm&  0H !ã @KkÜrºÒªkò.ë±DK¡¶ò7p<\¯  ÁMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:42:44Z2017-04-21T08:47:44Z*****www.microsoft.comoH **x ²‹3ÝrºÒ ÉQm&  0H1 !ã @²‹3ÝrºÒªkò.ë±DK¡¶ò7p<\¯ìÂMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:42:45Z2017-04-21T08:47:45Z*****https://vortex-win.data.microsoft.comcXRx ** ÃRBpàrºÒ ÉQm&  0HV!ä @RBpàrºÒªkò.ë±DK¡¶ò7p<\¯HÃMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:51Z2017-04-21T08:47:51Z********** **èÄ„fpàrºÒ ÉQm&  0H£!å @„fpàrºÒªkò.ë±DK¡¶ò7p<\¯HÄMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá *3á *2urn:passport:compactèElfChnkÅÝÅÝ€øöàøó³ÍñíúåóèF=Î÷²›f?øm©MFº&÷**ÈÅ?û0ârºÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0HÖ!ä @?û0ârºÒªkò.ë±DK¡¶ò7p<\¯  ÅMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value C**2017-04-21T08:42:51Z2017-04-21T08:47:51Z**********È**ÈÆ 1ârºÒ ÉQm&  0H~!å @ 1ârºÒªkò.ë±DK¡¶ò7p<\¯  ÆMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öŽ½öÆW^KrˆQ’Î8ØÿÿÌAÿÿ-F= ResourceURI Aÿÿ%F=Created Aÿÿ%F=Expires Aÿÿ)F= TokenType Aÿÿ/F!= AuthRequired Aÿÿ1F#= RequestStatus Aÿÿ+F= HasFlowUrl  Aÿÿ+F= HasAuthUrl  Aÿÿ1F#= HasEndAuthUrl      www.microsoft.comá *3á *3urn:passport:compactvicÈ** Ç—µârºÒ ÉQm&  0HV!ä @—µârºÒÐ4$“õç%“õìÇMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:42:54Z2017-04-21T08:47:54Z**********u:Id=" **èÈR«µârºÒ ÉQm&  0H¢!å @R«µârºÒÐ4$“õç%“õìÈMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö &   https://vortex-win.data.microsoft.comá *6á *6urn:passport:compactgnè**x ÉkãrºÒ ÉQm&  0H2 !ã @kãrºÒܹu‹[~F­©QÉŸaˆü  ÉMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:42:55Z2017-04-21T08:47:55Z*****https://watson.telemetry.microsoft.comexx **Ø Ê`IärºÒ ÉQm& 0H‚!ã @`IärºÒܹu‹[~F­©QÉŸaˆüHÊ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷o************2017-04-21T08:42:57Z2017-04-21T08:47:57Z*****http://Passport.NET/tb-wØ **x Ë*@årºÒ ÉQm&  0H1 !ã @*@årºÒܹu‹[~F­©QÉŸaˆü ËMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:42:59Z2017-04-21T08:47:59Z*****https://vortex-win.data.microsoft.com://x ** ÌÏRérºÒ ÉQm&  0HV!ä @ÏRérºÒÝ>”ØßAbKŒk¦€ý“_  ÌMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:05Z2017-04-21T08:48:05Z**********x48803 **èÍÚáRérºÒ ÉQm&  0H£!å @ÚáRérºÒÝ>”ØßAbKŒk¦€ý“_  ÍMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá +á +urn:passport:compactaè**H ΋·érºÒ ÉQm&  0H !ã @‹·érºÒÝ>”ØßAbKŒk¦€ý“_ŒÎMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:43:05Z2017-04-21T08:48:05Z*****www.microsoft.comiH ** ÏžNërºÒ ÉQm&  0HV!ä @žNërºÒÝ>”ØßAbKŒk¦€ý“_ ÏMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:08Z2017-04-21T08:48:08Z**********oso **èÐ^aërºÒ ÉQm&  0H¢!å @^aërºÒÝ>”ØßAbKŒk¦€ý“_ ÐMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö &   https://vortex-win.data.microsoft.comá +á +urn:passport:compactesè**8 ÑT»IërºÒ ÉQm& 0Hà !ä @T»IërºÒÝ>”ØßAbKŒk¦€ý“_HÑ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Í **2017-04-21T08:43:08Z2017-04-21T08:48:08Z**16.000.26889.00**0x488030x0BL2IDSLGN1F005 2017.03.19.10.39.41**********urn:passport:legacyhttp://Passport.NET/tb2017-04-21T08:43:08Z2017-07-20T08:43:08Z****:Non8 **èÒ[jJërºÒ ÉQm& 0H’!å @[jJërºÒÝ>”ØßAbKŒk¦€ý“_HÒ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    http://Passport.NET/tbá +á +urn:passport:legacyAlè**x Ón NërºÒ ÉQm& 0H !ã @n NërºÒÝ>”ØßAbKŒk¦€ý“_HÓ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:43:08Z2017-04-21T08:48:08Z*****www.microsoft.comx **x Ô’‘ërºÒ ÉQm&  0H2 !ã @’‘ërºÒÝ>”ØßAbKŒk¦€ý“_øÔMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:43:08Z2017-04-21T08:48:08Z*****https://watson.telemetry.microsoft.comx **x Õ¦ƒírºÒ ÉQm&  0H1 !ã @¦ƒírºÒ™õ:ï m^J¦1™3¬´¯ìÕMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:43:12Z2017-04-21T08:48:12Z*****https://vortex-win.data.microsoft.com/xmx ** Ö·ìRïrºÒ ÉQm&  0HV!ä @·ìRïrºÒ™õ:ï m^J¦1™3¬´¯ŒÖMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:14Z2017-04-21T08:48:14Z**********sse:Re **Ø×WSïrºÒ ÉQm&  0HŽ!å @WSïrºÒ™õ:ï m^J¦1™3¬´¯Œ×Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    www.microsoft.comá +á +urn:passport:compact/www.wØ** Ø‹ûïrºÒ ÉQm&  0HV!ä @‹ûïrºÒÐ4$“õç%“õøØMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:17Z2017-04-21T08:48:17Z**********ignKey **èÙ̲ûïrºÒ ÉQm&  0H£!å @̲ûïrºÒÐ4$“õç%“õøÙMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá +á +urn:passport:compactè**°Ú%A–ðrºÒ ÉQm& 0HV!ä @%A–ðrºÒÐ4$“õç%“õHÚ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:16Z2017-04-21T08:48:16Z**********tionMe°**èÛ[T–ðrºÒ ÉQm& 0HŽ!å @[T–ðrºÒÐ4$“õç%“õHÛ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    www.microsoft.comá +á +urn:passport:compact""/>**2017-04-21T08:43:19Z2017-04-21T08:48:19Z**********hm="ht **èݺû¬ñrºÒ ÉQm&  0H¢!å @ºû¬ñrºÒÐ4$“õç%“õìÝMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö &   https://vortex-win.data.microsoft.comá +á +urn:passport:compactseèurityTokenReference>** **èÄ„fpàrºÒ ÉQm&  0H£!å @„fpàrºÒªkò.ë±DK¡¶ò7p<\¯HÄMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá *3á *2urn:passport:compactèElfChnkÞõÞõ€Øö°ø=‘í=&AÈÃóèF=Î÷²›f?øm©MFº&÷Ù0**¨Þé³ñrºÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0H² !ã @é³ñrºÒÐ4$“õç%“õìÞMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value  *************2017-04-21T08:43:19Z2017-04-21T08:48:19Z*****https://watson.telemetry.microsoft.com2001¨**H ß1üôrºÒ ÉQm&  0H !ã @1üôrºÒÐ4$“õç%“õøßMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T08:43:23Z2017-04-21T08:48:23Z*****www.microsoft.com=H ** àÿ}ŠõrºÒ ÉQm&  0HV!ä @ÿ}ŠõrºÒÐ4$“õç%“õìàMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:26Z2017-04-21T08:48:26Z********** Type= **Øá’’ŠõrºÒ ÉQm&  0H“!å @’’ŠõrºÒÐ4$“õç%“õìáMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öÙ0Ž½öÆW^KrˆQ’Î8ØÿÿÌAÿÿ-F= ResourceURI Aÿÿ%F=Created Aÿÿ%F=Expires Aÿÿ)F= TokenType Aÿÿ/F!= AuthRequired Aÿÿ1F#= RequestStatus Aÿÿ+F= HasFlowUrl  Aÿÿ+F= HasAuthUrl  Aÿÿ1F#= HasEndAuthUrl   '   https://watson.telemetry.microsoft.comá +á +urn:passport:compact/Ø**x âØðõrºÒ ÉQm&  0H1 !ã @ØðõrºÒÐ4$“õç%“õìâMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:43:26Z2017-04-21T08:48:26Z*****https://vortex-win.data.microsoft.com*************2017-04-21T08:43:29Z2017-04-21T08:48:29Z*****https://watson.telemetry.microsoft.comDix ** äŽ-ÝørºÒ ÉQm&  0HV!ä @Ž-ÝørºÒÐ4$“õç%“õøäMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:30Z2017-04-21T08:48:30Z**********>*************2017-04-21T08:43:32Z2017-04-21T08:48:32Z*****www.microsoft.comtMethodx ** 籓DûrºÒ ÉQm&  0HV!ä @±“DûrºÒÐ4$“õç%“õìçMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:35Z2017-04-21T08:48:35Z**********yToken **è肦DûrºÒ ÉQm&  0H¢!å @‚¦DûrºÒÐ4$“õç%“õìèMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öÙ0 &   https://vortex-win.data.microsoft.comá +#á +#urn:passport:compacturè** é™ÇcürºÒ ÉQm&  0HV!ä @™ÇcürºÒÐ4$“õç%“õHéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:37Z2017-04-21T08:48:37Z**********:Non **èê‡ÚcürºÒ ÉQm&  0H£!å @‡ÚcürºÒÐ4$“õç%“õHêMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öÙ0 '   https://watson.telemetry.microsoft.comá +%á +%urn:passport:compactlè**x ëŒVû_{ºÒ ÉQm&  0H1 !ã @ŒVû_{ºÒ`ˆ“õ  ëMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T09:43:40Z2017-04-21T09:48:40Z*****https://vortex-win.data.microsoft.comx **x ìþöa{ºÒ ÉQm&  0H2 !ã @þöa{ºÒ`ˆ“õŒìMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T09:43:41Z2017-04-21T09:48:41Z*****https://watson.telemetry.microsoft.comx **H í˜ a{ºÒ ÉQm&  0H !ã @˜ a{ºÒ`ˆ“õ íMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-21T09:43:41Z2017-04-21T09:48:41Z*****www.microsoft.comRH **°î¬ðmb{ºÒ ÉQm& 0HV!ä @¬ðmb{ºÒ`ˆ“õøî©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:41Z2017-04-21T08:48:41Z**********edData°**èïnb{ºÒ ÉQm& 0HŽ!å @nb{ºÒ`ˆ“õøï©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öÙ0    www.microsoft.comá +)á +)urn:passport:compactè** ðoýud{ºÒ ÉQm&  0HV!ä @oýud{ºÒ`ˆ“õ  ðMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:46Z2017-04-21T08:48:46Z************2017-04-21T08:43:48Z2017-04-21T08:48:48Z**********edData **èó(Š[e{ºÒ ÉQm&  0H£!å @(Š[e{ºÒ`ˆ“õŒóMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öÙ0 '   https://watson.telemetry.microsoft.comá +0á +0urn:passport:compactpè** ô÷9Xf{ºÒ ÉQm&  0HV!ä @÷9Xf{ºÒ`ˆ“õ ôMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:43:48Z2017-04-21T08:48:48Z**********edData **ØõÕRXf{ºÒ ÉQm&  0HŽ!å @ÕRXf{ºÒ`ˆ“õ õMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öÙ0    www.microsoft.comá +0á +0urn:passport:compact +ØElfChnköö€húˆüë ÿKëwIóèF=Î÷²›f?øm©MFº‰(‘»&÷¡$**¸ödD¿£{ºÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0H !ã @dD¿£{ºÒÐ4$“õç%“õ  öMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value / *************2017-04-21T08:45:31Z2017-04-21T08:50:31Z*****https://settings-win.data.microsoft.com/settings/v2.0/߸** ÷‡Ï_­{ºÒ ÉQm&  0HV!ä @‡Ï_­{ºÒÐ4$“õç%“õ  ÷Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:45:47Z2017-04-21T08:50:47Z**********ce>**2017-04-21T08:51:06Z2017-04-21T08:56:06Z*****************wsa: **¸ü‘¸¾w|ºÒ ÉQm&  0Hs!ä @‘¸¾w|ºÒÐ4$“õç%“õdüMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷`***********BL2IDSLGN1I022 2017.03.19.10.39.41s¸**¸ý}©ã|ºÒ ÉQm&  0Hq!eè@}©ã|ºÒ`ˆ“õ<ýMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"‰( 2Service stoppedThe service has stopped.ss>¸** þ#ý>}ºÒ ÉQm&  0H×!eè@#ý>}ºÒ6½ºÜÁ¬Hý˜?µZµ þMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"‰( ˜Service startedThe service will auto stop if no requests received for some period of time.tand= **ˆ ÿíRC}ºÒ ÉQm& 0H2 !ã @íRC}ºÒ6½ºÜÁ¬Hý˜?µZµdÿ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T08:57:10Z2017-04-21T09:02:10Z*****https://watson.telemetry.microsoft.comd=ˆ **°&1ÖG}ºÒ ÉQm& 0HV!ä @&1ÖG}ºÒÙJ.ÏB<Kâ0 Ë$›Yd©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:57:17Z2017-04-21T09:02:17Z**********u°**øïD×G}ºÒ ÉQm& 0H£!å @ïD×G}ºÒÙJ.ÏB<Kâ0 Ë$›Yd©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö¡$ '   https://watson.telemetry.microsoft.comá 9á 9urn:passport:compact*ø**h !†$\}ºÒ ÉQm&  0H !ã @!†$\}ºÒÙJ.ÏB<Kâ0 Ë$›Y Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ ************2017-04-21T08:57:51Z2017-04-21T09:02:51Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.net wsu:Idh ** „C`}ºÒ ÉQm&  0HV!ä @„C`}ºÒÙJ.ÏB<Kâ0 Ë$›Y Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T08:57:58Z2017-04-21T09:02:58Z********** +# **ð’¨C`}ºÒ ÉQm&  0H¨!å @’¨C`}ºÒÙJ.ÏB<Kâ0 Ë$›Y Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö¡$ ,   474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.netá 9:á 9:urn:passport:compact" S:ð**€ ðÌ·}ºÒ ÉQm& 0H% !ã @ðÌ·}ºÒVáBbC”÷%ïÍ7'\è ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-21T09:00:25Z2017-04-21T09:05:25Z*****dcat.update.microsoft.comncrypti€ **°k“2¸}ºÒ ÉQm& 0HV!ä @k“2¸}ºÒVáBbC”÷%ïÍ7'\è ©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-21T09:00:27Z2017-04-21T09:05:27Z**********dy>************2017-04-22T05:28:29Z2017-04-22T05:33:29Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.netNonce>*h **X æ^ÉG)»Ò ÉQm&  0H !ä @æ^ÉG)»Ò`ˆèï¶ @ Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷û **2017-04-22T07:28:56Z2017-04-22T07:33:56Z********S:Senderwst:InvalidRequestInvalid Request0x8004885c0x80045c26TimeStamp in request is invalid or expired To">************2017-04-22T07:28:56Z2017-04-22T07:33:56Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.netMethod h ** ½¥H)»Ò ÉQm&  0HV!ä @½¥H)»Ò`ˆèï¶ @Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-22T07:28:58Z2017-04-22T07:33:58Z**********="UIdY **ð“¿H)»Ò ÉQm&  0H¨!å @“¿H)»Ò`ˆèï¶ @Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö¡$ ,   474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.netá :á :urn:passport:compactrithð**ˆ c×f’)»Ò ÉQm&  0HB !ã @c×f’)»ÒÁ#6…èš~D¶Ô•Gšqd% øMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷/ **************2017-04-22T07:31:02Z2017-04-22T07:36:02Z*****user.auth.xboxlive.compˆ ** ~œ“)»Ò ÉQm&  0HV!ä @~œ“)»ÒÁ#6…èš~D¶Ô•Gšqd% øMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-22T07:31:02Z2017-04-22T07:36:02Z**********edData **ØЩœ“)»Ò ÉQm&  0H“!å @Щœ“)»ÒÁ#6…èš~D¶Ô•Gšqd% øMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö¡$    user.auth.xboxlive.comá á urn:passport:compactØ**¸c°ýþ)»Ò ÉQm&  0Hq!eè@c°ýþ)»Ò~Û‹½H;Iº¤qÒR‡›  Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"‰( 2Service stoppedThe service has stopped.g/2¸** î;;Ø;»Ò ÉQm&  0H×!eè@î;;Ø;»ÒÓ…NqÀ3D’®|`0 8Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"‰( ˜Service startedThe service will auto stop if no requests received for some period of time.gorit http://www.w3.org/2001/0 ÉQm&  0Hsig#ã @u XØ;»ÒÓ…NqÀ3D’®|`0 ¬Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *èÄ„fpàrºÒ ÉQm&  0H£!å @„fpàrºÒªkò.ë±DK¡¶ò7p<\¯HÄMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá *3á *2urn:passport:compactèElfChnk11€ðèxõ†ŸÂïG‹:~óèF=Î÷²›f?øm©MFºi(Io&ÉN‘$**¨u XØ;»Ò ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0H± !ã @u XØ;»ÒÓ…NqÀ3D’®|`0 ¬Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value  *************2017-04-22T09:41:48Z2017-04-22T09:46:48Z*****https://vortex-win.data.microsoft.com>**2017-04-22T07:41:26Z2017-04-22T07:46:26Z***********************2017-04-22T08:15:44Z2017-04-22T08:20:44Z*****https://vortex-win.data.microsoft.com:stx ** š`¥@»Ò ÉQm&  0HV!ä @š`¥@»Ò`ˆ{´ØMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-22T08:16:13Z2017-04-22T08:21:13Z**********s>2017 **è!+¥@»Ò ÉQm&  0H¢!å @!+¥@»Ò`ˆ{´ØMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö‘$ &   https://vortex-win.data.microsoft.comá  á  urn:passport:compactmlè**¸ meA»Ò ÉQm&  0Hq!eè@ meA»Òn>ÓÚLB€º û c ØÈMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"i( 2Service stoppedThe service has stopped.nsf¸** E?äªB»Ò ÉQm&  0H×!eè@E?äªB»Òê7cZ¨IŸ´qlúÀøØMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"i( ˜Service startedThe service will auto stop if no requests received for some period of time.iesTo **YåªB»Ò ÉQm&  0H½!á@@YåªB»Òê7cZ¨IŸ´qlúÀøØ|Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äÉN÷Ìä¼ä£ç¼ÔõˆýŠÏ˜xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode WLIDCreateContext €€tion" S**x ûråªB»Ò ÉQm&  0H-!á@@ûråªB»Òê7cZ¨IŸ´qlúÀøØ< Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äÉNWLIDCreateContext €€sse:Refx** !Â+÷»Ò ÉQm&  0H×!eè@Â+÷»Ò`ˆèþ¼¨!Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"i( ˜Service startedThe service will auto stop if no requests received for some period of time.0/xml **ˆ "‹?—÷»Ò ÉQm&  0HB !ã @‹?—÷»Ò`ˆèþ¼Ì"Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷/ *************2017-04-23T06:02:16Z2017-04-23T06:07:16Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ **X#ý¾ù÷»Ò ÉQm&  0H !ä @ý¾ù÷»Ò`ˆèþ¼Ì#Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷û **2017-04-23T08:02:48Z2017-04-23T08:07:48Z********S:Senderwst:InvalidRequestInvalid Request0x8004885c0x80045c26TimeStamp in request is invalid or expired wsu:IX**p${ûù÷»Ò ÉQm&  0H+!â @{ûù÷»Ò`ˆèþ¼Ì$Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational ·ýtIo·ýt‘˜—·$ÇI¹ÜÿÿÐAÿÿ-F= RequestType AÿÿF=cid Aÿÿ)F= ErrorCode Aÿÿ;F-=MachineEnvironment  NULL&\€productionsp**ˆ %³ßú÷»Ò ÉQm&  0HB !ã @³ßú÷»Ò`ˆèþ¼Ì%Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷/ *************2017-04-23T08:02:48Z2017-04-23T08:07:48Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ ** &†Å(÷»Ò ÉQm&  0HV!ä @†Å(÷»Ò`ˆèþ¼Ì&Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:03:00Z2017-04-23T08:08:00Z**********mp>*************2017-04-23T08:03:32Z2017-04-23T08:08:32Z*****https://watson.telemetry.microsoft.com½öˆ **ˆ )IæÀ<÷»Ò ÉQm& 0H2 !ã @IæÀ<÷»Ò`ˆèþ¼ˆ)©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-23T08:03:33Z2017-04-23T08:08:33Z*****https://watson.telemetry.microsoft.comenˆ **°*TÙ<÷»Ò ÉQm& 0HV!ä @TÙ<÷»Ò`ˆèþ¼T*©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:03:41Z2017-04-23T08:08:41Z**********ww.w3.°**ø+0Ù<÷»Ò ÉQm& 0H£!å @0Ù<÷»Ò`ˆèþ¼T+©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö‘$ '   https://watson.telemetry.microsoft.comá )á )urn:passport:compactsø**°,¸P:=÷»Ò ÉQm& 0HV!ä @¸P:=÷»Ò`ˆèþ¼ˆ,©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:03:42Z2017-04-23T08:08:42Z**********Securi°**ø-øf:=÷»Ò ÉQm& 0H£!å @øf:=÷»Ò`ˆèþ¼ˆ-©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö‘$ '   https://watson.telemetry.microsoft.comá *á *urn:passport:compact"ø**x .ÊEo÷»Ò ÉQm&  0H2 !ã @ÊEo÷»Ò`ˆèþ¼ˆ.Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-23T08:05:06Z2017-04-23T08:10:06Z*****https://watson.telemetry.microsoft.comodx ** /…ávo÷»Ò ÉQm&  0HV!ä @…ávo÷»Ò`ˆèþ¼ˆ/Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:05:06Z2017-04-23T08:10:06Z************************2017-04-23T08:05:48Z2017-04-23T08:10:48Z*****user.auth.xboxlive.comtiˆ thod Algorithm="http://w ÉQm&  0Horg/ä @·!@‰÷»ÒP™õþÀïõþ¼2Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷Ce>edData **ØЩœ“)»Ò ÉQm&  0H“!å @Щœ“)»ÒÁ#6…èš~D¶Ô•Gšqd% øMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö¡$    user.auth.xboxlive.comá á urn:passport:compactØ**¸c°ýþ)»Ò ÉQm&  0Hq!eè@c°ýþ)»Ò~Û‹½H;Iº¤qÒR‡›  Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"‰( 2Service stoppedThe service has stopped.g/2¸** î;;Ø;»Ò ÉQm&  0H×!eè@î;;Ø;»ÒÓ…NqÀ3D’®|`0 8Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"‰( ˜Service startedThe service will auto stop if no requests received for some period of time.gorit http://www.w3.org/2001/0 ÉQm&  0Hsig#ã @u XØ;»ÒÓ…NqÀ3D’®|`0 ¬Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *èÄ„fpàrºÒ ÉQm&  0H£!å @„fpàrºÒªkò.ë±DK¡¶ò7p<\¯HÄMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö '   https://watson.telemetry.microsoft.comá *3á *2urn:passport:compactèElfChnk2T2T€¸ò0ÿcº6৛!óèF=Î÷²›f?øm©MFº¹W&a|**È2·!@‰÷»Ò ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0HÖ!ä @·!@‰÷»ÒP™õþÀïõþ¼2Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value C**2017-04-23T08:05:49Z2017-04-23T08:10:49Z**********È**È3‡9@‰÷»Ò ÉQm&  0Hƒ!å @‡9@‰÷»ÒP™õþÀïõþ¼3Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½öŽ½öÆW^KrˆQ’Î8ØÿÿÌAÿÿ-F= ResourceURI Aÿÿ%F=Created Aÿÿ%F=Expires Aÿÿ)F= TokenType Aÿÿ/F!= AuthRequired Aÿÿ1F#= RequestStatus Aÿÿ+F= HasFlowUrl  Aÿÿ+F= HasAuthUrl  Aÿÿ1F#= HasEndAuthUrl      user.auth.xboxlive.comá 1á 1urn:passport:compact/È**€ 4±vÌ´÷»Ò ÉQm& 0H% !ã @±vÌ´÷»ÒSßHÂI¶‚®E2õk¼p4©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-23T08:07:02Z2017-04-23T08:12:02Z*****dcat.update.microsoft.com€ **°5udµ÷»Ò ÉQm& 0HV!ä @udµ÷»Òù§xÍxA‚kú^g7tž¼p5©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:07:03Z2017-04-23T08:12:03Z**********sse:Se°**ð6ýŒdµ÷»Ò ÉQm& 0H–!å @ýŒdµ÷»Òù§xÍxA‚kú^g7tž¼p6©Ž²CÊßk÷.VDéMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    dcat.update.microsoft.comá á urn:passport:compact@»Ò`ð**H 7Xí½÷»Ò ÉQm&  0H !ã @Xí½÷»Ò ¯ ÁˆuTH¥6Ùph'ñ7¼ä7Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ð ************2017-04-23T08:07:17Z2017-04-23T08:12:17Z*****www.microsoft.com>H ** 8LVš¾÷»Ò ÉQm&  0HV!ä @LVš¾÷»Ò ¯ ÁˆuTH¥6Ùph'ñ7¼ä8Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:07:18Z2017-04-23T08:12:18Z**********tion s **Ø9ølš¾÷»Ò ÉQm&  0HŽ!å @ølš¾÷»Ò ¯ ÁˆuTH¥6Ùph'ñ7¼ä9Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö    www.microsoft.comá á urn:passport:compactorg/20Ø**h:-lC*ø»Ò ÉQm&  0H!!eè@-lC*ø»Ò¬b™âÑJ5K¾Y‘áãú–ɼÜ:Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"¹W<¥Ž"!²âÄkt':îA!˜ÿÿŒAÿÿ)F= Operation Aÿÿ%F=Details Aÿÿ#F=Status  2Service stoppedThe service has stopped.*************2017-04-23T08:16:38Z2017-04-23T08:21:38Z*****https://vortex-win.data.microsoft.comthmx ** ="WÏù»Ò ÉQm&  0HV!ä @"WÏù»Òëa5©¤{_H‚³£kø–\U¼ä=Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷C**2017-04-23T08:16:41Z2017-04-23T08:21:41Z**********2000/0 **è>9Ðù»Ò ÉQm&  0H¢!å @9Ðù»Òëa5©¤{_H‚³£kø–\U¼ä>Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ž½ö &   https://vortex-win.data.microsoft.comá )á (urn:passport:compactmeè** ?ªHŽßù»Ò ÉQm&  0H×!eè@ªHŽßù»Ò`ˆ{ò€,´?Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"¹W ˜Service startedThe service will auto stop if no requests received for some period of time.:Secu **@5™ßù»Ò ÉQm&  0H½!á@@5™ßù»Ò`ˆ{ò€,P@Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|÷Ìä¼ä£ç¼ÔõˆýŠÏ˜xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode WLIDCreateContext €€ÉQm&**xA«²ßù»Ò ÉQm&  0H-!á@@«²ßù»Ò`ˆ{ò€,´AMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDCreateContext €€1">**************2017-04-24T17:22:39Z2017-04-24T17:27:39Z*****https://vortex-win.data.microsoft.comx **ˆ Eį&€½Ò ÉQm&  0HB !ã @į&€½Ò`ˆ[vÌà EMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷/ *************2017-04-24T17:22:42Z2017-04-24T17:27:42Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ **xFwLiÉ½Ò ÉQm&  0H-!á@@wLiɽÒÅÊ(°[ÐGšZ™1ŒìãmÌhFMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDAcquireTokensQ€€/wsa:Tox**xGæ\NË½Ò ÉQm&  0H-!á@@æ\N˽ÒÅÊ(°[ÐGšZ™1ŒìãmÌà GMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDAcquireTokensQ€€ata xmlx**x H{*“Ö½Ò ÉQm&  0H1 !ã @{*“Ö½ÒÅÊ(°[ÐGšZ™1ŒìãmÌtHMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-24T17:25:07Z2017-04-24T17:30:07Z*****https://vortex-win.data.microsoft.comLs=x **ˆ IY¾dä½Ò ÉQm&  0HB !ã @Y¾dä½ÒÅÊ(°[ÐGšZ™1ŒìãmÌÀ IMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷/ *************2017-04-24T17:25:30Z2017-04-24T17:30:30Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ **xJ?½!½Ò ÉQm&  0H-!á@@?½!½ÒÅÊ(°[ÐGšZ™1ŒìãmÌtJMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDAcquireTokensQ€€ httx**x Kân©.½Ò ÉQm&  0H1 !ã @ân©.½ÒÅÊ(°[ÐGšZ™1ŒìãmÌà KMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-04-24T17:27:35Z2017-04-24T17:32:35Z*****https://vortex-win.data.microsoft.com.orx **xLçÖ‰/½Ò ÉQm&  0H-!á@@çÖ‰/½ÒÅÊ(°[ÐGšZ™1ŒìãmÌÀ LMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDAcquireTokensQ€€ipherVax** M÷„|üúèÒ ÉQm&  0H×!eè@÷„|üúèÒ`ˆµK ôMMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž"¹W ˜Service startedThe service will auto stop if no requests received for some period of time./S:En **x N±]žüúèÒ ÉQm&  0H1 !ã @±]žüúèÒ`ˆµK ôNMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-06-19T14:53:52Z2017-06-19T14:58:52Z*****https://vortex-win.data.microsoft.comdInx **xO›}¡üúèÒ ÉQm&  0H-!á@@›}¡üúèÒ`ˆµK ôOMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDAcquireTokense‚€************2017-06-19T14:54:46Z2017-06-19T14:59:46Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.net>*************2017-06-19T14:54:55Z2017-06-19T14:59:55Z*****https://settings-win.data.microsoft.com/settings/v2.0/mlˆ **xSCèR"ûèÒ ÉQm&  0H-!á@@CèR"ûèÒ`ˆµK üSMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äa|WLIDAcquireTokense‚€lgorithx**x T'XKûèÒ ÉQm&  0H1 !ã @'XKûèÒ“ï¦Ý+qO¸¡t ß:Í 4 TMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-06-19T14:56:04Z2017-06-19T15:01:04Z*****https://vortex-win.data.microsoft.comx     ÉQm&  0HompactèElfChnkUzUz€ û˜üɯØRØÎóèF=Î÷²›f?øm©MFº) &ù **àUœZXKûèÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0Hë!á@@œZXKûèÒ“ï¦Ý+qO¸¡t ß:Í 4 UMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷Ìä¼ä£ç¼ÔõˆýŠÏ˜¦ÿÿšD‚ EventDataAÿÿAFΊoData!= FunctionName Aÿÿ)F= ErrorCode WLIDAcquireTokense‚€To à**ÐV~Ž¨ŒûèÒ ÉQm&  0H‡!eè@~Ž¨ŒûèÒ`ˆçI†4ÄVMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž") <¥Ž"!²âÄkt':îA!˜ÿÿŒAÿÿ)F= Operation Aÿÿ%F=Details Aÿÿ#F=Status  ˜Service startedThe service will auto stop if no requests received for some period of time.Ð**È WÊáçŒûèÒ ÉQm&  0Hƒ !ã @ÊáçŒûèÒ`ˆçI†4ÄWMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù ÷*"Û5IE‰/<‘rEst:ÿÿ.Aÿÿ!F=Value  *************2017-06-19T14:57:54Z2017-06-19T15:02:54Z*****https://vortex-win.data.microsoft.comÈ **xX;$ìŒûèÒ ÉQm&  0H-!á@@;$ìŒûèÒ`ˆçI†4ÄXMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokense‚€x**x YŽzT’ûèÒ ÉQm&  0H1 !ã @ŽzT’ûèÒ`ˆçI†4´YMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T14:58:03Z2017-06-19T15:03:03Z*****https://vortex-win.data.microsoft.comx **xZ±T’ûèÒ ÉQm&  0H-!á@@±T’ûèÒ`ˆçI†4´ZMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokense‚€x** [à%{½ûèÒ ÉQm&  0H×!eè@à%{½ûèÒ`ˆýA<D [Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational <¥Ž")  ˜Service startedThe service will auto stop if no requests received for some period of time. **x \N½ûèÒ ÉQm&  0H1 !ã @N½ûèÒ`ˆýA<Ä\Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T14:59:16Z2017-06-19T15:04:16Z*****https://vortex-win.data.microsoft.comx **x]& ‘½ûèÒ ÉQm&  0H-!á@@& ‘½ûèÒ`ˆýA<Ä]Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokense‚€x**x ^÷žEÊûèÒ ÉQm&  0H1 !ã @÷žEÊûèÒ`ˆýA<ð^Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T14:59:37Z2017-06-19T15:04:37Z*****https://vortex-win.data.microsoft.comx **ˆ _g7üÓûèÒ ÉQm&  0HB !ã @g7üÓûèÒ`ˆýA<H _Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù / *************2017-06-19T14:59:53Z2017-06-19T15:04:53Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ **h `¨8 àûèÒ ÉQm&  0H !ã @¨8 àûèÒ`ˆýA<`Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  ************2017-06-19T15:00:14Z2017-06-19T15:05:14Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.neth **xaJ¯Ú éÒ ÉQm&  0H-!á@@J¯Ú éÒµ¼§1ÄÁáFŠYc’ q<ðaMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xb(êÃã éÒ ÉQm&  0H-!á@@(êÃã éÒµ¼§1ÄÁáFŠYc’ q<H bMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**x cÙv›ç éÒ ÉQm&  0H1 !ã @Ùv›ç éÒµ¼§1ÄÁáFŠYc’ q<¤ cMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:02:08Z2017-06-19T17:07:08Z*****https://vortex-win.data.microsoft.comx **x dÌë éÒ ÉQm&  0H2 !ã @Ìë éÒµ¼§1ÄÁáFŠYc’ q<”dMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:02:13Z2017-06-19T17:07:13Z*****https://watson.telemetry.microsoft.comx **xeW…×ï éÒ ÉQm&  0H-!á@@W…×ï éÒµ¼§1ÄÁáFŠYc’ q<eMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**ˆ fóɘ3 éÒ ÉQm&  0HB !ã @óɘ3 éÒ+ñå‘sJnL¢8I¾27-3<„ fMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù / *************2017-06-19T17:04:15Z2017-06-19T17:09:15Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ **xgøçì4 éÒ ÉQm&  0H-!á@@øçì4 éÒ+ñå‘sJnL¢8I¾27-3<¤ gMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xhá@6 éÒ ÉQm&  0H-!á@@á@6 éÒ+ñå‘sJnL¢8I¾27-3<”hMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**ˆ iµJ8 éÒ ÉQm&  0HB !ã @µJ8 éÒ+ñå‘sJnL¢8I¾27-3<HiMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù / **************2017-06-19T17:04:23Z2017-06-19T17:09:23Z*****user.auth.xboxlive.comˆ **x jøÈA éÒ ÉQm&  0H1 !ã @øÈA éÒ+ñå‘sJnL¢8I¾27-3<H jMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:04:39Z2017-06-19T17:09:39Z*****https://vortex-win.data.microsoft.comx **x kLÁ%C éÒ ÉQm&  0H2 !ã @LÁ%C éÒ+ñå‘sJnL¢8I¾27-3<kMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:04:41Z2017-06-19T17:09:41Z*****https://watson.telemetry.microsoft.comx **xl¡µ~ éÒ ÉQm&  0H-!á@@¡µ~ éÒ‘˜k~ÆGâB³ÛZP5­¯š<„ lMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xmêžyƒ éÒ ÉQm&  0H-!á@@êžyƒ éÒ‘˜k~ÆGâB³ÛZP5­¯š<HmMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xnO´«Œ éÒ ÉQm&  0H-!á@@O´«Œ éÒ‘˜k~ÆGâB³ÛZP5­¯š<H nMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xo–`KŽ éÒ ÉQm&  0H-!á@@–`KŽ éÒ‘˜k~ÆGâB³ÛZP5­¯š<oMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**x p+Kˆ™ éÒ ÉQm&  0H1 !ã @+Kˆ™ éÒ‘˜k~ÆGâB³ÛZP5­¯š<„ pMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:07:06Z2017-06-19T17:12:06Z*****https://vortex-win.data.microsoft.comx **x q75àš éÒ ÉQm&  0H2 !ã @75àš éÒ‘˜k~ÆGâB³ÛZP5­¯š<H qMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:07:08Z2017-06-19T17:12:08Z*****https://watson.telemetry.microsoft.comx **xr¨hÃä éÒ ÉQm&  0H-!á@@¨hÃä éÒó­@½+A¦Üúã½çÖ<„ rMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xs~Þýå éÒ ÉQm&  0H-!á@@~Þýå éÒó­@½+A¦Üúã½çÖ<H sMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**h tÜ’²ç éÒ ÉQm&  0H !ã @Ü’²ç éÒó­@½+A¦Üúã½çÖ<”tMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  ************2017-06-19T17:09:17Z2017-06-19T17:14:17Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.neth **x u”añ éÒ ÉQm&  0H1 !ã @”añ éÒó­@½+A¦Üúã½çÖ<H uMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:09:34Z2017-06-19T17:14:34Z*****https://vortex-win.data.microsoft.comx **x v;¥ ó éÒ ÉQm&  0H2 !ã @;¥ ó éÒó­@½+A¦Üúã½çÖ<<vMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:09:36Z2017-06-19T17:14:36Z*****https://watson.telemetry.microsoft.comx **xw„3éÒ ÉQm&  0H-!á@@„3éÒ)ù‚í¸VHC~+bðåm<”wMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xx`ȉ<éÒ ÉQm&  0H-!á@@`ȉ<éÒ)ù‚í¸VHC~+bðåm<H xMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xyˆD>éÒ ÉQm&  0H-!á@@ˆD>éÒ)ù‚í¸VHC~+bðåm<<yMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xz1€gDéÒ ÉQm&  0H-!á@@1€gDéÒ)ù‚í¸VHC~+bðåm<H zMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDCreateContext €€xElfChnk{Š{Š€¨j l÷nfNþ„+óèF=Î÷²›f?øm©MFº&i!**¨{5 IéÒ ÉQm&ÉQmÙÔú\ëWb«mÆß–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-CH5HRODAÿÿB .Security²fLUserID !  0H± !ã @5 IéÒ)ù‚í¸VHC~+bðåm<H {Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷*"Û5IE‰/<‘rEsthÿÿ\D‚ EventDataAÿÿ3FΊoData=Value  *************2017-06-19T17:12:01Z2017-06-19T17:17:01Z*****https://vortex-win.data.microsoft.com>*************2017-06-19T17:12:04Z2017-06-19T17:17:04Z*****https://watson.telemetry.microsoft.com:Cx **}­ºP”éÒ ÉQm&  0H½!á@@­ºP”éÒ™Ài¥»ŸæK]ghsÀ<<H }Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!÷Ìä¼ä£ç¼ÔõˆýŠÏ˜xÿÿlAÿÿ/F!= FunctionName Aÿÿ)F= ErrorCode WLIDAcquireTokensQ€€nc#sha2**x~a‰–éÒ ÉQm&  0H-!á@@a‰–éÒ™Ài¥»ŸæK]ghsÀ<<”~Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!WLIDAcquireTokensQ€€="http:x**x˜Ý éÒ ÉQm&  0H-!á@@˜Ý éÒdº:¼}|C·4}#pë‹~<H Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!WLIDCreateContext €€s:Headex**x€#ÂÝ éÒ ÉQm&  0H-!á@@#ÂÝ éÒdº:¼}|C·4}#pë‹~<H €Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!WLIDCreateContext €€ÉQm&x**x Ùü¤éÒ ÉQm&  0H1 !ã @Ùü¤éÒdº:¼}|C·4}#pë‹~<ðMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-06-19T17:14:33Z2017-06-19T17:19:33Z*****https://vortex-win.data.microsoft.comritx **x ‚=¦éÒ ÉQm&  0H2 !ã @=¦éÒdº:¼}|C·4}#pë‹~<”‚Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ *************2017-06-19T17:14:37Z2017-06-19T17:19:37Z*****https://watson.telemetry.microsoft.com"#x **h ƒ”›«¿éÒ ÉQm&  0H !ã @”›«¿éÒKls£þˆG¨z+Åã÷<¤ ƒMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5÷ ************2017-06-19T17:15:20Z2017-06-19T17:20:20Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.netethod>************2017-06-19T17:15:56Z2017-06-19T17:20:56Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.netatureMeh **x…MVñéÒ ÉQm&  0H-!á@@MVñéÒx—c F„Of@}©´<ð…Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!WLIDAcquireTokensQ€€nsformsx**x†…§VñéÒ ÉQm&  0H-!á@@…§VñéÒx—c F„Of@}©´<”†Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!WLIDAcquireTokensQ€€ce>*************2017-06-19T17:16:51Z2017-06-19T17:21:51Z*****https://vortex-win.data.microsoft.comefex **xŠÛ7öéÒ ÉQm&  0H-!á@@Û7öéÒ`ˆýA<<ŠMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼äi!WLIDAcquireTokense‚€mx **x dÌë éÒ ÉQm&  0H2 !ã @Ìë éÒµ¼§1ÄÁáFŠYc’ q<”dMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:02:13Z2017-06-19T17:07:13Z*****https://watson.telemetry.microsoft.comx **xeW…×ï éÒ ÉQm&  0H-!á@@W…×ï éÒµ¼§1ÄÁáFŠYc’ q<eMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**ˆ fóɘ3 éÒ ÉQm&  0HB !ã @óɘ3 éÒ+ñå‘sJnL¢8I¾27-3<„ fMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù / *************2017-06-19T17:04:15Z2017-06-19T17:09:15Z*****https://settings-win.data.microsoft.com/settings/v2.0/ˆ **xgøçì4 éÒ ÉQm&  0H-!á@@øçì4 éÒ+ñå‘sJnL¢8I¾27-3<¤ gMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xhá@6 éÒ ÉQm&  0H-!á@@á@6 éÒ+ñå‘sJnL¢8I¾27-3<”hMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**ˆ iµJ8 éÒ ÉQm&  0HB !ã @µJ8 éÒ+ñå‘sJnL¢8I¾27-3<HiMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù / **************2017-06-19T17:04:23Z2017-06-19T17:09:23Z*****user.auth.xboxlive.comˆ **x jøÈA éÒ ÉQm&  0H1 !ã @øÈA éÒ+ñå‘sJnL¢8I¾27-3<H jMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:04:39Z2017-06-19T17:09:39Z*****https://vortex-win.data.microsoft.comx **x kLÁ%C éÒ ÉQm&  0H2 !ã @LÁ%C éÒ+ñå‘sJnL¢8I¾27-3<kMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:04:41Z2017-06-19T17:09:41Z*****https://watson.telemetry.microsoft.comx **xl¡µ~ éÒ ÉQm&  0H-!á@@¡µ~ éÒ‘˜k~ÆGâB³ÛZP5­¯š<„ lMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xmêžyƒ éÒ ÉQm&  0H-!á@@êžyƒ éÒ‘˜k~ÆGâB³ÛZP5­¯š<HmMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xnO´«Œ éÒ ÉQm&  0H-!á@@O´«Œ éÒ‘˜k~ÆGâB³ÛZP5­¯š<H nMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xo–`KŽ éÒ ÉQm&  0H-!á@@–`KŽ éÒ‘˜k~ÆGâB³ÛZP5­¯š<oMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**x p+Kˆ™ éÒ ÉQm&  0H1 !ã @+Kˆ™ éÒ‘˜k~ÆGâB³ÛZP5­¯š<„ pMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:07:06Z2017-06-19T17:12:06Z*****https://vortex-win.data.microsoft.comx **x q75àš éÒ ÉQm&  0H2 !ã @75àš éÒ‘˜k~ÆGâB³ÛZP5­¯š<H qMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:07:08Z2017-06-19T17:12:08Z*****https://watson.telemetry.microsoft.comx **xr¨hÃä éÒ ÉQm&  0H-!á@@¨hÃä éÒó­@½+A¦Üúã½çÖ<„ rMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xs~Þýå éÒ ÉQm&  0H-!á@@~Þýå éÒó­@½+A¦Üúã½çÖ<H sMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**h tÜ’²ç éÒ ÉQm&  0H !ã @Ü’²ç éÒó­@½+A¦Üúã½çÖ<”tMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  ************2017-06-19T17:09:17Z2017-06-19T17:14:17Z*****474a-87ad-2f9a87615fa3-dc1-tip.cloudapp.neth **x u”añ éÒ ÉQm&  0H1 !ã @”añ éÒó­@½+A¦Üúã½çÖ<H uMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:09:34Z2017-06-19T17:14:34Z*****https://vortex-win.data.microsoft.comx **x v;¥ ó éÒ ÉQm&  0H2 !ã @;¥ ó éÒó­@½+A¦Üúã½çÖ<<vMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  *************2017-06-19T17:09:36Z2017-06-19T17:14:36Z*****https://watson.telemetry.microsoft.comx **xw„3éÒ ÉQm&  0H-!á@@„3éÒ)ù‚í¸VHC~+bðåm<”wMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xx`ȉ<éÒ ÉQm&  0H-!á@@`ȉ<éÒ)ù‚í¸VHC~+bðåm<H xMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xyˆD>éÒ ÉQm&  0H-!á@@ˆD>éÒ)ù‚í¸VHC~+bðåm<<yMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDAcquireTokensQ€€x**xz1€gDéÒ ÉQm&  0H-!á@@1€gDéÒ)ù‚í¸VHC~+bðåm<H zMicrosoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational Ìä¼ä÷WLIDCreateContext €€x ÉQm&  0Hã @5 IéÒ)ù‚í¸VHC~+bðåm<H {Microsoft-Windows-LiveId—%ð…þgN…BiVz¸ýOMicrosoft-Windows-LiveId/Operational *"Û5ù  python-evtx-0.7.4/tests/data/issue_43.evtx000066400000000000000000102100001402613732500204450ustar00rootroot00000000000000ElfFileÀ|²–ñElfChnkNN€ýÿ_ñ0󱕄  óèH=Î÷²›f?øm©MFº& ‹ ùƒn**P%Öe¡³$Ó  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID ! 0H]!€Ã!<¡³$Ó L ³>XÕÕÝÞ|&æY4èMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational æ†t3ùæ†t3àŽ¹õÝö Sf¸.†ìÿÿà D‚ EventDataAÿÿ7HΊoData=UtcTime Aÿÿ1H#= Configuration AÿÿAH3=ConfigurationFileHash .2017-09-03 12:53:24.655Ð^F€AFowP**ˆIl¡³$Ó  ?Õ,&  0HQ!€%Öe¡³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ^¼T‹ ^¼TïÀ ÛËíd±JÊÿÿ¾ Aÿÿ%H=UtcTime Aÿÿ!H=State Aÿÿ%H=Version Aÿÿ1H#= SchemaVersion .2017-09-03 12:53:24.937Started6.033.30ce ˆ**ðgo¡³$Ó  ?Õ,&  0H·!€Il¡³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx À5ñxaæâçz|°âÊRÿÿF Aÿÿ%H=UtcTime Aÿÿ-H= ProcessGuid Aÿÿ)H= ProcessId Aÿÿ!H=Image Aÿÿ-H= CommandLine Aÿÿ7H)=CurrentDirectory AÿÿH=User Aÿÿ)H= LogonGuid Aÿÿ%H=LogonId Aÿÿ9H+=TerminalSessionId Aÿÿ3H%=IntegrityLevel Aÿÿ#H=Hashes Aÿÿ9H+=ParentProcessGuid Aÿÿ5H'=ParentProcessId Aÿÿ-H= ParentImage Aÿÿ9H+=ParentCommandLine .**(& Z@@2017-09-03 12:53:24.774ŸR Dû«Yö‹òtC:\Windows\Sysmon.exeC:\Windows\Sysmon.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=849B8DFAF9159AFDC14D514B2243D4D5BA2FF9A4ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeð**ÈZÖv®³$Ó  ?Õ,&  0H“!€go¡³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å¢å _Ö¡`Ÿ(À›AÊÿÿ¾ Aÿÿ%H=UtcTime Aÿÿ-H= ProcessGuid Aÿÿ)H= ProcessId Aÿÿ!H=Image .L2017-09-03 12:53:24.984ŸR @û«YC;ò C:\tool-test\tools\Sysmon\Sysmon64.exeÈ**èkuz®³$Ó  ?Õ,&  0H±!€ZÖv®³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .Lh4,Zr2017-09-03 12:53:46.861ŸR Zû«YÁœòlC:\tool-test\tools\Sysmon\Sysmon64.exe"C:\tool-test\tools\Sysmon\Sysmon64.exe" -c -n -l -rC:\tool-test\tools\Sysmon\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=849B8DFAF9159AFDC14D514B2243D4D5BA2FF9A4ŸR Zâ«Y-Kä¸C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\Sysmon'è** W3{®³$Ó  ?Õ,& 0HY!€kuz®³$Ól̳>XÕÕÝÞ|&æY4èMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational æ†t3ù.2017-09-03 12:53:46.8750VèdƒPÀèdƒ **è;›¯³$Ó  ?Õ,&  0H±!€W3{®³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.L2017-09-03 12:53:46.890ŸR Zû«YÁœòlC:\tool-test\tools\Sysmon\Sysmon64.exeè**Þ?;°³$Ó  ?Õ,&  0Hã!€;›¯³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .Tl(& ZJ`2017-09-03 12:53:48.757ŸR \û«Y{Ÿò C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe18_ Global\UsGthrCtrlFltPipeMssGthrPipe18 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding**ð ‰Áy°³$Ó  ?Õ,&  0H»!€Þ?;°³$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .J`(& Z>Z2017-09-03 12:53:49.783ŸR ]û«Y¬½ò C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3BE30552A136411E225932C6B4FDAC6454F1898EŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchð**0 Âp³³$Ó  ?Õ,&  0H÷!€‰Áy°³$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .P„(& ZJ`2017-09-03 12:53:50.191ŸR ^û«YµÒòÐC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding0** òîw³³$Ó  ?Õ,&  0H×!€Âp³³$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.r2017-09-03 12:53:55.187ŸR Zâ«Y-Kä¸C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe**Ø Ê@˳$Ó  ?Õ,&  0H£!€òîw³³$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.>2017-09-03 12:53:55.249ŸR Zâ«Y‡Kä|C:\Windows\System32\conhost.exeØ**ð Ò­ôß³$Ó  ?Õ,&  0H¹!€Ê@˳$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.T2017-09-03 12:54:35.156ŸR 1û«Y !òøC:\Windows\System32\backgroundTaskHost.exeð**ðqõß³$Ó  ?Õ,&  0H¹!€Ò­ôß³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.T2017-09-03 12:55:09.891ŸR \û«Y{Ÿò C:\Windows\System32\SearchProtocolHost.exeð**èwHßG´$Ó  ?Õ,&  0Hµ!€qõß³$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.P2017-09-03 12:55:09.891ŸR ^û«YµÒòÐC:\Windows\System32\SearchFilterHost.exeè** Ê­òG´$Ó  ?Õ,&  0Hm!€wHßG´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .B(, Z>T2017-09-03 12:58:04.222ŸR \ü«YefólC:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs **àV»ŠÈ´$Ó  ?Õ,&  0H§!€Ê­òG´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.B2017-09-03 12:58:04.360ŸR \ü«YefólC:\Windows\System32\taskhostw.exeà**èx›É´$Ó  ?Õ,&  0H¯!€V»ŠÈ´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .ÚÈ,Z>Z2017-09-03 13:01:40.088ŸR 4ý«Y“ÃóøC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe" -ServerName:Hx.IPC.ServerC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=E1833044E4A0847B2308DAB7C64F240FDAD15C46ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchè**x‘@NÌ´$Ó  ?Õ,&  0H?!€x›É´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.Ú2017-09-03 13:01:41.892ŸR 4ý«Y“ÃóøC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exex**Õ²Ù´$Ó  ?Õ,&  0Hã!€‘@NÌ´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .ÚP¾,Z>Z2017-09-03 13:01:46.384ŸR :ý«Y¸ôhC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch**xÀÎÝ´$Ó  ?Õ,&  0H?!€Õ²Ù´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.Ú2017-09-03 13:02:07.860ŸR :ý«Y¸ôhC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exex**¡Õ#Ý´$Ó  ?Õ,&  0Hã!€ÀÎÝ´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .Tl(& ZJ`2017-09-03 13:02:14.489ŸR Vý«Y@þôC:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe19_ Global\UsGthrCtrlFltPipeMssGthrPipe19 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding**0•(Ý´$Ó  ?Õ,&  0H÷!€¡Õ#Ý´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .P„(& ZJ`2017-09-03 13:02:14.669ŸR Vý«YLõÀC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding0**(«pÎó´$Ó  ?Õ,&  0Hï!€•(Ý´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.Š2017-09-03 13:02:14.688ŸR \Þ«Y·ÓlC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\pythonw.exe(** Zlâó´$Ó  ?Õ,&  0Hm!€«pÎó´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .B(, Z>T2017-09-03 13:02:52.695ŸR |ý«Y)õ@C:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs **àxzô´$Ó  ?Õ,&  0H§!€Zlâó´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.B2017-09-03 13:02:52.813ŸR |ý«Y)õ@C:\Windows\System32\taskhostw.exeà**Àf·¯ µ$Ó  ?Õ,&  0H‰!€xzô´$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .>R(& Z@@2017-09-03 13:02:53.812ŸR }ý«Y…3õô C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeÀ**èò¤ µ$Ó  ?Õ,&  0H¯!€f·¯ µ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.J2017-09-03 13:03:34.438ŸR ]û«Y¬½ò C:\Windows\System32\wbem\WmiPrvSE.exeè** ‡^@!µ$Ó  ?Õ,&  0Hm!€ò¤ µ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .B(, Z>T2017-09-03 13:04:07.888ŸR Çý«Y„éõ<C:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs **àh2ŸEµ$Ó  ?Õ,&  0H§!€‡^@!µ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.B2017-09-03 13:04:08.923ŸR Çý«Y„éõ<C:\Windows\System32\taskhostw.exeà**ðeߟEµ$Ó  ?Õ,&  0H¹!€h2ŸEµ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.T2017-09-03 13:05:09.955ŸR Vý«Y@þôC:\Windows\System32\SearchProtocolHost.exeð**è 5”tµ$Ó  ?Õ,&  0Hµ!€eߟEµ$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.P2017-09-03 13:05:09.955ŸR Vý«YLõÀC:\Windows\System32\SearchFilterHost.exeè**À!ð8átµ$Ó  ?Õ,&  0H‡!€5”tµ$Ót”!Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒntlüâ:IŽ'1¶ÌÔˆŒÿÿ€ Aÿÿ%H=UtcTime Aÿÿ-H= ProcessGuid Aÿÿ)H= ProcessId Aÿÿ!H=Image Aÿÿ3H%=TargetFilename Aÿÿ5H'=CreationUtcTime AÿÿEH7=PreviousCreationUtcTime .b´..2017-09-03 13:06:28.736ŸR ‡–«Y#ŽC:\Program Files\VMware\VMware Tools\vmtoolsd.exeC:\Users\MNWPRO\AppData\Local\Temp\vmware-MNWPRO\VMwareDnD\75bc9edc\python-evtx-master.zip2017-09-03 13:05:27.4352017-09-03 13:06:28.720À**0":ówµ$Ó  ?Õ,&  0H÷!€ð8átµ$Ót”"Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .>¢(, Z>Z2017-09-03 13:06:29.227ŸR Uþ«Y÷}ö¨C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch0**Ø#V)7}µ$Ó  ?Õ,&  0H£!€:ówµ$Ót”#Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.>2017-09-03 13:06:34.392ŸR Uþ«Y÷}ö¨C:\Windows\System32\dllhost.exeØ**¸$èY}µ$Ó  ?Õ,&  0H!€V)7}µ$Ót”$Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..†..2017-09-03 13:06:43.220ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\.gitignore2017-07-16 10:15:06.0002017-07-16 10:15:06.000¸**¸%Ш]}µ$Ó  ?Õ,&  0Hƒ!€èY}µ$Ót”%Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..ˆ..2017-09-03 13:06:43.439ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\.travis.yml2017-07-16 10:15:06.0002017-07-16 10:15:06.000¸**¸& ×a}µ$Ó  ?Õ,&  0Hƒ!€Ð¨]}µ$Ót”&Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..ˆ..2017-09-03 13:06:43.470ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\LICENSE.TXT2017-07-16 10:15:06.0002017-07-16 10:15:06.000¸**¸'D„d}µ$Ó  ?Õ,&  0H!€ ×a}µ$Ót”'Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..„..2017-09-03 13:06:43.501ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\README.md2017-07-16 10:15:06.0002017-07-16 10:15:06.000¸**°(?Ÿi}µ$Ó  ?Õ,&  0H}!€D„d}µ$Ót”(Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..‚..2017-09-03 13:06:43.516ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\setup.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000°**È)ÜÎm}µ$Ó  ?Õ,&  0H•!€?Ÿi}µ$Ót”)Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..š..2017-09-03 13:06:43.548ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\Evtx\BinaryParser.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**¸*cêt}µ$Ó  ?Õ,&  0H…!€ÜÎm}µ$Ót”*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..Š..2017-09-03 13:06:43.580ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\Evtx\Evtx.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000¸**À+kÈy}µ$Ó  ?Õ,&  0H‡!€cêt}µ$Ót”+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..Œ..2017-09-03 13:06:43.611ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\Evtx\Nodes.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000À**À,¬s„}µ$Ó  ?Õ,&  0H‡!€kÈy}µ$Ót”,Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..Œ..2017-09-03 13:06:43.658ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\Evtx\Views.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000À**À-í׋}µ$Ó  ?Õ,&  0H!€¬s„}µ$Ót”-Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..’..2017-09-03 13:06:43.720ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\Evtx\__init__.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000À**È.b}µ$Ó  ?Õ,&  0H•!€í׋}µ$Ót”.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..š..2017-09-03 13:06:43.767ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_dump.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**à/3“}µ$Ó  ?Õ,&  0H­!€b}µ$Ót”/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..²..2017-09-03 13:06:43.798ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_dump_chunk_slack.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000à**è0Àè–}µ$Ó  ?Õ,&  0H±!€3“}µ$Ót”0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..¶..2017-09-03 13:06:43.814ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_eid_record_numbers.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000è**à1Ôš}µ$Ó  ?Õ,&  0H©!€Àè–}µ$Ót”1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..®..2017-09-03 13:06:43.845ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_extract_record.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000à**à28ž}µ$Ó  ?Õ,&  0H©!€Ôš}µ$Ót”2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..®..2017-09-03 13:06:43.876ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_filter_records.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000à**È3V¥¢}µ$Ó  ?Õ,&  0H•!€8ž}µ$Ót”3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..š..2017-09-03 13:06:43.892ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_info.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**à4mŠ¦}µ$Ó  ?Õ,&  0H­!€V¥¢}µ$Ót”4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..²..2017-09-03 13:06:43.907ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_record_structure.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000à**à5`©}µ$Ó  ?Õ,&  0H«!€mŠ¦}µ$Ót”5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..°..2017-09-03 13:06:43.938ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_record_template.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000à**Ø6^Ú«}µ$Ó  ?Õ,&  0HŸ!€`©}µ$Ót”6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..¤..2017-09-03 13:06:43.970ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_structure.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ø**Ø7±×¯}µ$Ó  ?Õ,&  0HŸ!€^Ú«}µ$Ót”7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..¤..2017-09-03 13:06:43.986ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\evtx_templates.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ø**È8 Œ±}µ$Ó  ?Õ,&  0H!€±×¯}µ$Ót”8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..”..2017-09-03 13:06:44.017ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\fixtures.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**È9¨[·}µ$Ó  ?Õ,&  0H•!€ Œ±}µ$Ót”9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..š..2017-09-03 13:06:44.017ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\test_chunks.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**È:O»}µ$Ó  ?Õ,&  0H•!€¨[·}µ$Ót”:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..š..2017-09-03 13:06:44.064ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\test_header.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**Ð;þ!¾}µ$Ó  ?Õ,&  0H™!€O»}µ$Ót”;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..ž..2017-09-03 13:06:44.080ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\test_issue_37.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**Ð<irÁ}µ$Ó  ?Õ,&  0H™!€þ!¾}µ$Ót”<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..ž..2017-09-03 13:06:44.095ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\test_issue_38.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**Ð=ŽöÈ}µ$Ó  ?Õ,&  0H™!€irÁ}µ$Ót”=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..ž..2017-09-03 13:06:44.126ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\test_issue_39.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**Ð>ÃÌ}µ$Ó  ?Õ,&  0H—!€ŽöÈ}µ$Ót”>Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..œ..2017-09-03 13:06:44.173ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\test_records.py2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**è?T Ñ}µ$Ó  ?Õ,&  0H¯!€ÃÌ}µ$Ót”?Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..´..2017-09-03 13:06:44.204ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\data\dns_log_malformed.evtx2017-07-16 10:15:06.0002017-07-16 10:15:06.000è**Ð@² Ø}µ$Ó  ?Õ,&  0H!€T Ñ}µ$Ót”@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..¢..2017-09-03 13:06:44.235ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\data\issue_38.evtx2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**ÐA hà}µ$Ó  ?Õ,&  0H!€² Ø}µ$Ót”AMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..¢..2017-09-03 13:06:44.282ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\data\issue_39.evtx2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**ÈBFºä}µ$Ó  ?Õ,&  0H•!€ hà}µ$Ót”BMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..š..2017-09-03 13:06:44.330ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\data\readme.md2017-07-16 10:15:06.0002017-07-16 10:15:06.000È**ÐCjßï}µ$Ó  ?Õ,&  0H!€Fºä}µ$Ót”CMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..¢..2017-09-03 13:06:44.361ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\data\security.evtx2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**ÐDï×0„µ$Ó  ?Õ,&  0H™!€jßï}µ$Ót”DMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒn..ž..2017-09-03 13:06:44.423ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\python-evtx-master\python-evtx-master\tests\data\system.evtx2017-07-16 10:15:06.0002017-07-16 10:15:06.000Ð**EË瑵$Ó  ?Õ,&  0Hã!€ï×0„µ$Ót”EMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .ÚP¾,Z>Z2017-09-03 13:06:54.932ŸR nþ«YÎâ÷C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch**xFý"]“µ$Ó  ?Õ,&  0H?!€Ë瑵$Ót”FMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.Ú2017-09-03 13:07:16.563ŸR nþ«YÎâ÷C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exex**GŠ'ª¯µ$Ó  ?Õ,&  0Hã!€ý"]“µ$Ót”GMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .ÚP¾,Z>Z2017-09-03 13:07:20.386ŸR ˆþ«Y‚ßø„C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch**xHï䶵$Ó  ?Õ,&  0H?!€Š'ª¯µ$Ót”HMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.Ú2017-09-03 13:08:07.860ŸR ˆþ«Y‚ßø„C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exex**I±e¨Âµ$Ó  ?Õ,&  0Hã!€ï䶵$Ót”IMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .ÚP¾,Z>Z2017-09-03 13:08:18.667ŸR Âþ«YÎZúC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch**xJ7 ȵ$Ó  ?Õ,&  0H?!€±e¨Âµ$Ót”JMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.Ú2017-09-03 13:08:39.721ŸR Âþ«YÎZúC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exex**K³3ȵ$Ó  ?Õ,&  0Hã!€7 ȵ$Ót”KMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .Tl(& ZJ`2017-09-03 13:08:48.753ŸR àþ«Y± ûÈC:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe20_ Global\UsGthrCtrlFltPipeMssGthrPipe20 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding**0LTI‰Ëµ$Ó  ?Õ,&  0H÷!€³3ȵ$Ót”LMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .P„(& ZJ`2017-09-03 13:08:49.037ŸR áþ«Y~ûpC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding0**˜Mâëw̵$Ó  ?Õ,&  0H_!€TI‰Ëµ$Ót”MMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx .x¦(& Zbf2017-09-03 13:08:54.615ŸR æþ«YÝûœC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1024 768 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"˜**Næópϵ$Ó  ?Õ,&  0HÝ!€âëw̵$Ót”NMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å.x2017-09-03 13:08:56.189ŸR æþ«YÝûœC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe  ?Õ,&  0ô„€æópϵ$Ót”OMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙstem ElfChnkO–O–€xühþP*Á:JÀ½óè8=Î÷²›f?øm©MFº[&éË{Ñ**`OwÜvÒµ$Ó  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H{!€æópϵ$Ót”OMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .ÚP¾,Z>Z2017-09-03 13:09:01.180ŸR íþ«Y"„ûŒC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchren`**0Pî¬Ôµ$Ó  ?Õ,&  0H÷!€wÜvÒµ$Ót”PMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(, Z>Z2017-09-03 13:09:06.243ŸR òþ«Y øûpC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch A0**¸Q ešÕµ$Ó  ?Õ,&  0H…!€î¬Ôµ$Ót”QMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-09-03 13:09:09.955ŸR }ý«Y…3õô C:\Windows\System32\svchost.exe«¸**ØRM)ãÖµ$Ó  ?Õ,&  0H£!€ ešÕµ$Ót”RMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.>2017-09-03 13:09:11.517ŸR òþ«Y øûpC:\Windows\System32\dllhost.exe32Ø**¸SÓ´Þµ$Ó  ?Õ,&  0H!€M)ãÖµ$ÓtHSMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î[].,ήÄÃÜνŠÀïiQÙ2ÿÿ&Aÿÿ%8=UtcTime Aÿÿ-8= ImageLoaded Aÿÿ#8=Hashes Aÿÿ#8=Signed Aÿÿ)8= Signature Aÿÿ58'=SignatureStatus .NZ" 2017-09-03 13:08:55.221C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValidt-Wi¸**xTÆRàµ$Ó  ?Õ,&  0H?!€Ó´Þµ$Ót”TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 13:09:26.783ŸR íþ«Y"„ûŒC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exeTx**U ‡ðíµ$Ó  ?Õ,&  0Hã!€ÆRàµ$Ót”UMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚP¾,Z>Z2017-09-03 13:09:28.930ŸR ÿ«Y£¹üØ C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchJ**xV•yîµ$Ó  ?Õ,&  0H?!€ ‡ðíµ$Ót”VMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 13:09:52.329ŸR ÿ«Y£¹üØ C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exeost.x**W v‚÷µ$Ó  ?Õ,&  0Hã!€•yîµ$Ót”WMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚP¾,Z>Z2017-09-03 13:09:53.244ŸR !ÿ«Yh}ýü C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchWi**xX”±š÷µ$Ó  ?Õ,&  0H?!€ v‚÷µ$Ót”XMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 13:10:08.392ŸR !ÿ«Yh}ýü C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exex**Y.µÿµ$Ó  ?Õ,&  0Hã!€”±š÷µ$Ót”YMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚP¾,Z>Z2017-09-03 13:10:08.562ŸR 0ÿ«YÀ;þÌC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch**xZ¹Îÿµ$Ó  ?Õ,&  0H?!€.µÿµ$Ót”ZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 13:10:22.142ŸR 0ÿ«YÀ;þÌC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exeWindx**[/S¶$Ó  ?Õ,&  0Hã!€¹Îÿµ$Ót”[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚP¾,Z>Z2017-09-03 13:10:22.323ŸR >ÿ«Y„ûþ´C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLauncher**x\÷yv¶$Ó  ?Õ,&  0H?!€/S¶$Ót”\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 13:10:34.501ŸR >ÿ«Y„ûþ´C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exex**à]ñ´Š¶$Ó  ?Õ,&  0H­!€÷yv¶$Ót”]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé."°(, Z..2017-09-03 13:10:36.835ŸR Lÿ«Y.Íÿ`C:\Windows\py.exe"C:\Windows\py.exe" "C:\tool-test\tools\python-evtx-master\python-evtx-master\setup.py" C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=CEC09ABE2B23F0EFA16A4067F2F6738B3C1A1893ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXE6à** ^±'ض$Ó  ?Õ,&  0Hé!€ñ´Š¶$Ót”^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n, Z"°2017-09-03 13:10:36.960ŸR Lÿ«Y1ÐÿðC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR Lÿ«Y.Íÿ`C:\Windows\py.exe"C:\Windows\py.exe" "C:\tool-test\tools\python-evtx-master\python-evtx-master\setup.py" ndo ** _”¿£ ¶$Ó  ?Õ,&  0Hë!€±'ض$Ót”_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ(, Z"°2017-09-03 13:10:37.476ŸR Mÿ«YÝðÿÜC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe "C:\tool-test\tools\python-evtx-master\python-evtx-master\setup.py" C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR Lÿ«Y.Íÿ`C:\Windows\py.exe"C:\Windows\py.exe" "C:\tool-test\tools\python-evtx-master\python-evtx-master\setup.py" to ** `±t¤ ¶$Ó  ?Õ,&  0Hí!€”¿£ ¶$Ót”`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.ˆ2017-09-03 13:10:38.814ŸR Mÿ«YÝðÿÜC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exea **Àa…{¦ ¶$Ó  ?Õ,&  0H‡!€±t¤ ¶$Ót”aMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË."2017-09-03 13:10:38.814ŸR Lÿ«Y.Íÿ`C:\Windows\py.exe$ÓÀ**ØbÛ™{ ¶$Ó  ?Õ,&  0H£!€…{¦ ¶$Ót”bMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.>2017-09-03 13:10:38.829ŸR Lÿ«Y1ÐÿðC:\Windows\System32\conhost.exechØ**c‡â2¶$Ó  ?Õ,&  0Hã!€Û™{ ¶$Ót”cMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚP¾,Z>Z2017-09-03 13:10:45.262ŸR Uÿ«Y5d C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch|ý«**ðdl3¶$Ó  ?Õ,&  0H¹!€‡â2¶$Ót”dMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.T2017-09-03 13:11:09.955ŸR àþ«Y± ûÈC:\Windows\System32\SearchProtocolHost.exe**ð**èeCïîf¶$Ó  ?Õ,&  0Hµ!€l3¶$Ót”eMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.P2017-09-03 13:11:09.955ŸR áþ«Y~ûpC:\Windows\System32\SearchFilterHost.exeè**xfÀŽ@ë¶$Ó  ?Õ,&  0H?!€Cïîf¶$Ót”fMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 13:13:15.330ŸR Uÿ«Y5d C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe AUTx**hgPûDë¶$Ó  ?Õ,&  0H3!€ÀŽ@ë¶$Ót”gMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.6¼(& Zbf2017-09-03 13:16:57.317ŸR ɬYNC:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat""C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=524AB0A40594D2B5F620F542E87A45472979A416ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"h**8h9Lë¶$Ó  ?Õ,&  0H!€PûDë¶$Ót”hMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& Z6¼2017-09-03 13:16:57.368ŸR ɬYP C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ɬYNC:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat""8**0i[ÅXë¶$Ó  ?Õ,&  0H÷!€9Lë¶$Ót”iMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@L(& Z6¼2017-09-03 13:16:57.405ŸR ɬY2017-09-03 13:16:57.627ŸR ɬYP C:\Windows\System32\conhost.exeonØ**¨m,y¢ÑÄ$Ó  ?Õ,&  0Hu!€Žl¢ÑÄ$Ót”mMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B((& Z>T2017-09-03 14:56:27.258ŸR ¬Y‰n„ C:\Windows\System32\taskhostw.exetaskhostw.exe SYSTEMC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs¨**°n Z³ÑÄ$Ó  ?Õ,&  0Hw!€,y¢ÑÄ$Ót”nMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B$(, Z>T2017-09-03 14:56:27.268ŸR ¬YoàC:\Windows\System32\taskhostw.exetaskhostw.exe USERC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs7-16°**oÆJÕÑÄ$Ó  ?Õ,&  0HÍ!€ Z³ÑÄ$Ót”oMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(4 Z>€2017-09-03 14:56:27.305ŸR ¬Y²qÔC:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x49cC:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedf**hp°´ãÑÄ$Ó  ?Õ,&  0H1!€ÆJÕÑÄ$Ót”pMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.6º(& Zbf2017-09-03 14:56:27.631ŸR ¬Y€øC:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=524AB0A40594D2B5F620F542E87A45472979A416ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"06.h**8qè€òÑÄ$Ó  ?Õ,&  0H!€°´ãÑÄ$Ót”qMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& Z6º2017-09-03 14:56:27.726ŸR ¬YC‡XC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ¬Y€øC:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" 138**ØrxîÒÄ$Ó  ?Õ,&  0H¡!€è€òÑÄ$Ót”rMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.TÖ|,Z>Z2017-09-03 14:56:27.797ŸR ¬YŽ…°C:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mcaC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch-SyØ**sö°ÒÄ$Ó  ?Õ,&  0HÇ!€xîÒÄ$Ót”sMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.TÊ®,Z>Z2017-09-03 14:56:27.938ŸR ¬Y‚—`C:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXe9cvj1thv1hmcw0cs98xm3r97tyzy2xs.mcaC:\Program Files\WindowsApps\Microsoft.WindowsStore_11707.1001.23.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch**èt#ÈÒÄ$Ó  ?Õ,&  0H¯!€ö°ÒÄ$Ót”tMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚÈ,Z>Z2017-09-03 14:56:27.935ŸR ¬Yî–( C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe" -ServerName:Hx.IPC.ServerC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=E1833044E4A0847B2308DAB7C64F240FDAD15C46ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchMicrè**èuñ°ÒÄ$Ó  ?Õ,&  0H³!€#ÈÒÄ$Ót”uMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.TÊš,Z>Z2017-09-03 14:56:28.081ŸR ¬Y °ŒC:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaC:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch01è**(vÉ4ÑÒÄ$Ó  ?Õ,&  0Hñ!€ñ°ÒÄ$Ót”vMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@H(& Z6º2017-09-03 14:56:28.114ŸR ¬Yý³,C:\Windows\System32\ipconfig.exeC:\Windows\system32\ipconfig /renewC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=751267A96267DFCC5E0C5CDFE81DDD9B5A013FFCŸR ¬Y€øC:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""mon(**Øwå>‚ÓÄ$Ó  ?Õ,&  0H¥!€É4ÑÒÄ$Ót”wMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.@2017-09-03 14:56:29.282ŸR ÈÙ«Y‚˜§pC:\Windows\System32\WUDFHost.exeØ**Àx”ÀÖÄ$Ó  ?Õ,&  0H‰!€å>‚ÓÄ$Ót”xMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B*(8 Z>T2017-09-03 14:56:30.426ŸR ¬Y@ìxC:\Windows\System32\taskhostw.exetaskhostw.exe networkC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsdowÀ**ypl‰×Ä$Ó  ?Õ,&  0HÝ!€”ÀÖÄ$Ót”yMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ff(, Z>T2017-09-03 14:56:35.810ŸR #¬YøC:\Windows\System32\LocationNotificationWindows.exeC:\Windows\System32\LocationNotificationWindows.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=1A76E79B7E812B51AA80FC54C586FC1E8966F063ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcss**àzý¶’×Ä$Ó  ?Õ,&  0H§!€pl‰×Ä$Ót”zMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.B2017-09-03 14:56:37.213ŸR ¬YoàC:\Windows\System32\taskhostw.exe tà**¨{‡? ØÄ$Ó  ?Õ,&  0Ho!€ý¶’×Ä$Ót”{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.<<8 Z@@2017-09-03 14:56:36.510ŸR $¬YÜ'|C:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=9B5B7C08DA7CF36CA302C6E57CBC8BCFA5A69A9DŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe-evt¨**à|M£UØÄ$Ó  ?Õ,&  0H§!€‡? ØÄ$Ót”|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.B2017-09-03 14:56:38.072ŸR ¬Y‰n„ C:\Windows\System32\taskhostw.exes-Syà**à}…=sØÄ$Ó  ?Õ,&  0H§!€M£UØÄ$Ót”}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.B2017-09-03 14:56:38.541ŸR ¬Y@ìxC:\Windows\System32\taskhostw.exe ?Õ,&à**~ÒxÏØÄ$Ó  ?Õ,&  0HÉ!€…=sØÄ$Ót”~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.H^(8 Z>Z2017-09-03 14:56:38.544ŸR &¬YYXC:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=6405859F261189D3DC15E6FA8040FC2CB23C6499ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch.2**p’ÚÄ$Ó  ?Õ,&  0H7!€ÒxÏØÄ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.8Î(8 ZH^2017-09-03 14:56:39.226ŸR '¬YönC:\Windows\System32\slui.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=73111121-5638-40f6-bc11-f1d7b0d64300;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR &¬YYXC:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding tp**x€:KRÛÄ$Ó  ?Õ,&  0H?!€’ÚÄ$Ót”€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.Ú2017-09-03 14:56:42.291ŸR ¬Yî–( C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe_8pW*Âàx**ðù¶ÛÄ$Ó  ?Õ,&  0H¹!€:KRÛÄ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.T2017-09-03 14:56:43.557ŸR ¬Y °ŒC:\Windows\System32\backgroundTaskHost.exeð**ЂB)„ßÄ$Ó  ?Õ,&  0H!€ù¶ÛÄ$Ót”‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.8N(, Z>Z2017-09-03 14:56:44.219ŸR ,¬YòZxC:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchiÐ**Ѓ0*—ßÄ$Ó  ?Õ,&  0H!€B)„ßÄ$Ót”ƒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.82017-09-03 14:56:50.572ŸR ,¬YòZxC:\Windows\System32\slui.exe5Ð** „¹ð™ßÄ$Ó  ?Õ,&  0Hé!€0*—ßÄ$Ót”„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.àV¸,Z>Z2017-09-03 14:56:50.638ŸR 2¬Yì†tC:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.35071.13510.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe"C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.35071.13510.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe" -ServerName:App.AppXzst44mncqdg84v7sv6p7yznqwssy6f7f.mcaC:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.35071.13510.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=CE5155CEE8C9B6538837906E34043FABC06F49EEŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch0 **Ð…\øáÄ$Ó  ?Õ,&  0H!€¹ð™ßÄ$Ót”…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.82017-09-03 14:56:50.744ŸR '¬YönC:\Windows\System32\slui.exesÐ**†7Å°ãÄ$Ó  ?Õ,&  0HË!€\øáÄ$Ót”†Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.f2017-09-03 14:56:54.713ŸR #¬YøC:\Windows\System32\LocationNotificationWindows.exe-0**‡#¾äÄ$Ó  ?Õ,&  0Hã!€7Å°ãÄ$Ót”‡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü{Ñtlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .T..2017-09-03 14:56:57.603ŸR ¬YŽ…°C:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131489242020722805.txt.~tmp2017-09-03 14:56:57.5412017-09-03 14:56:57.572iû**0ˆ0ÙäÄ$Ó  ?Õ,&  0H÷!€#¾äÄ$Ót”ˆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(, Z>Z2017-09-03 14:56:59.370ŸR ;¬YSðÐC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchA1=70**x‰;p»çÄ$Ó  ?Õ,&  0HE!€0ÙäÄ$Ót”‰Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.à2017-09-03 14:56:59.541ŸR 2¬Yì†tC:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.35071.13510.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe6x**ØŠj!îÄ$Ó  ?Õ,&  0H£!€;p»çÄ$Ót”ŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.>2017-09-03 14:57:04.385ŸR ;¬YSðÐC:\Windows\System32\dllhost.exeonØ**è‹ÝÚðÄ$Ó  ?Õ,&  0H³!€j!îÄ$Ót”‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.TÊš,Z>Z2017-09-03 14:57:15.120ŸR K¬YDL C:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaC:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch\Wè**ðŒ "ôÄ$Ó  ?Õ,&  0H¹!€ÝÚðÄ$Ót”ŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.T2017-09-03 14:57:19.682ŸR K¬YDL C:\Windows\System32\backgroundTaskHost.exeC:ð**à­D"ôÄ$Ó  ?Õ,&  0H­!€ "ôÄ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.H2017-09-03 14:57:25.182ŸR &¬YYXC:\Windows\System32\SppExtComObj.Exeià**ØŽ³(Å$Ó  ?Õ,&  0H¡!€­D"ôÄ$Ót”ŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.<2017-09-03 14:57:25.182ŸR $¬YÜ'|C:\Windows\System32\sppsvc.exeppsØ**ðÙŠÿ Å$Ó  ?Õ,&  0H¹!€³(Å$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.T2017-09-03 14:57:57.104ŸR ¬Y‚—`C:\Windows\System32\backgroundTaskHost.exeULDð**˜{ü7 Å$Ó  ?Õ,&  0Ha!€ÙŠÿ Å$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-09-03 14:58:03.515ŸR {¬YX‚pC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"-Sy˜**h‘;ƒ˜ Å$Ó  ?Õ,&  0H5!€{ü7 Å$Ót”‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î[.NZ" 2017-09-03 14:58:05.588C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValidih**’`êÅ$Ó  ?Õ,&  0HÝ!€;ƒ˜ Å$Ót”’Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.x2017-09-03 14:58:06.229ŸR {¬YX‚pC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe9**˜“ËôÅ$Ó  ?Õ,&  0H_!€`êÅ$Ót”“Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¦(& Zbf2017-09-03 14:58:13.647ŸR …¬Y ÎÀC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1024 768 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"exeC˜**h”#;ƒÅ$Ó  ?Õ,&  0H5!€ËôÅ$Ót””Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î[.NZ" 2017-09-03 14:58:13.775C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValideh**•› Å$Ó  ?Õ,&  0HÝ!€#;ƒÅ$Ót”•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.x2017-09-03 14:58:14.479ŸR …¬Y ÎÀC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe\**ð–\˜¡Å$Ó  ?Õ,&  0H¹!€› Å$Ót”–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.T2017-09-03 14:58:27.104ŸR ¬YŽ…°C:\Windows\System32\backgroundTaskHost.exe03 ð:08:56.189ŸR  ?Õ,&  0Hs\€\˜¡Å$Ót”—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åË.M2017-09-03 14:58:34.807ŸR ¬Yý³,em ElfChnk—ߗ߀àû€ÿÿÍmѱi`wóè8=Î÷²›f?øm©MFº&Sé=**˜—4v¢Å$Ó  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0Hµ!€\˜¡Å$Ót”—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé¢å _Ö¡`Ÿ(À›AøÿÿìD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .@2017-09-03 14:58:34.807ŸR ¬Yý³,C:\Windows\System32\ipconfig.exeÿ)˜**Иz¢Å$Ó  ?Õ,&  0H›!€4v¢Å$Ót”˜Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.62017-09-03 14:58:34.807ŸR ¬Y€øC:\Windows\System32\cmd.exetCÐ**Ø™`í‡Å$Ó  ?Õ,&  0H£!€z¢Å$Ót”™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 14:58:34.807ŸR ¬YC‡XC:\Windows\System32\conhost.exeeLØ**Øšó5YÒÅ$Ó  ?Õ,&  0H£!€`í‡Å$Ót”šMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:01:32.542ŸR ¬Y²qÔC:\Windows\System32\audiodg.exeNWØ**›ê=dÒÅ$Ó  ?Õ,&  0H×!€ó5YÒÅ$Ót”›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxSÀ5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .B(, Z>T2017-09-03 15:03:38.002ŸR ʬYi„LC:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsAÿÿ-**èœ-/lÒÅ$Ó  ?Õ,&  0H³!€ê=dÒÅ$Ót”œMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.TÊš,Z>Z2017-09-03 15:03:38.079ŸR ʬYŠDC:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaC:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchè**èhÁ°ÒÅ$Ó  ?Õ,&  0H¯!€-/lÒÅ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.ÚÈ,Z>Z2017-09-03 15:03:38.131ŸR ʬYCLC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe" -ServerName:Hx.IPC.ServerC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=E1833044E4A0847B2308DAB7C64F240FDAD15C46ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch9:28è**ÀžŽËæÒÅ$Ó  ?Õ,&  0H‰!€hÁ°ÒÅ$Ót”žMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>R(& Z@@2017-09-03 15:03:38.481ŸR ʬYœŸC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe1AŸÀ**ÀŸÄÜïÒÅ$Ó  ?Õ,&  0H‰!€ŽËæÒÅ$Ót”ŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.B*(8 Z>T2017-09-03 15:03:38.935ŸR ʬYk®`C:\Windows\System32\taskhostw.exetaskhostw.exe networkC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsWÀ**¨ ŸòÒÅ$Ó  ?Õ,&  0Ho!€ÄÜïÒÅ$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.<<8 Z@@2017-09-03 15:03:38.983ŸR ʬY0²0C:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=9B5B7C08DA7CF36CA302C6E57CBC8BCFA5A69A9DŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeoftw¨**à¡dÿHÓÅ$Ó  ?Õ,&  0H§!€ŸòÒÅ$Ót”¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.B2017-09-03 15:03:39.010ŸR ʬYi„LC:\Windows\System32\taskhostw.exe**à**¢£1KÓÅ$Ó  ?Õ,&  0HÉ!€dÿHÓÅ$Ót”¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.H^(8 Z>Z2017-09-03 15:03:39.579ŸR ˬY?Ã( C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=6405859F261189D3DC15E6FA8040FC2CB23C6499ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch-09**à£r¯aÓÅ$Ó  ?Õ,&  0H§!€£1KÓÅ$Ót”£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.B2017-09-03 15:03:39.588ŸR ʬYk®`C:\Windows\System32\taskhostw.exeriteà**p¤DÁºÓÅ$Ó  ?Õ,&  0H7!€r¯aÓÅ$Ót”¤Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.8Î(8 ZH^2017-09-03 15:03:39.731ŸR ˬY2Ê C:\Windows\System32\slui.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=73111121-5638-40f6-bc11-f1d7b0d64300;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR ˬY?Ã( C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embeddingp**x¥VðÔÅ$Ó  ?Õ,&  0H?!€DÁºÓÅ$Ót”¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.Ú2017-09-03 15:03:40.323ŸR ʬYCLC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe\Winx**8¦yÔÅ$Ó  ?Õ,&  0H!€VðÔÅ$Ót”¦Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .T<..2017-09-03 15:03:40.917ŸR ʬYŠDC:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\243292\1504451020.~tmp2017-09-03 15:03:40.9172017-09-03 15:03:40.917twa8**§º EÔÅ$Ó  ?Õ,&  0H]!€yÔÅ$Ót”§Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=.T<..2017-09-03 15:03:40.917ŸR ʬYŠDC:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\243289\1504451020.~tmp2017-09-03 15:03:40.9172017-09-03 15:03:40.917**¨ª"bÔÅ$Ó  ?Õ,&  0H]!€º EÔÅ$Ót”¨Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=.T<..2017-09-03 15:03:41.230ŸR ʬYŠDC:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\279986\1504451021.~tmp2017-09-03 15:03:41.1832017-09-03 15:03:41.183O**©¸GÍÔÅ$Ó  ?Õ,&  0H]!€ª"bÔÅ$Ót”©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=.T<..2017-09-03 15:03:41.417ŸR ʬYŠDC:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\279978\1504451021.~tmp2017-09-03 15:03:41.3862017-09-03 15:03:41.386\**¨ª)…×Å$Ó  ?Õ,&  0Hs!€¸GÍÔÅ$Ót”ªMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.\‚š,Z>Z2017-09-03 15:03:42.107ŸR άY)`C:\Windows\System32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=5AA2D5D33566269FED9DCC167C904692DD133693ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch\M¨**Ы®Åc×Å$Ó  ?Õ,&  0H!€)…×Å$Ót”«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.8N(, Z>Z2017-09-03 15:03:45.946ŸR ѬY^q„C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch:Ð**ð¬²Á¸ØÅ$Ó  ?Õ,&  0H¹!€®Åc×Å$Ót”¬Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.T2017-09-03 15:03:46.448ŸR ʬYŠDC:\Windows\System32\backgroundTaskHost.exe262ð**ЭŒ»ØÅ$Ó  ?Õ,&  0H!€²Á¸ØÅ$Ót”­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.82017-09-03 15:03:48.698ŸR ˬY2Ê C:\Windows\System32\slui.exe-Ð**ЮˆYÙÅ$Ó  ?Õ,&  0H!€Œ»ØÅ$Ót”®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.82017-09-03 15:03:48.714ŸR ѬY^q„C:\Windows\System32\slui.exe6Ð**è¯ÉùÛÅ$Ó  ?Õ,&  0H³!€ˆYÙÅ$Ót”¯Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.TÊš,Z>Z2017-09-03 15:03:49.320ŸR Õ¬Y¦TC:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaC:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchè**ø°&ž!ÝÅ$Ó  ?Õ,&  0HÁ!€ÉùÛÅ$Ót”°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.\2017-09-03 15:03:52.527ŸR άY)`C:\Windows\System32\BackgroundTransferHost.exepqsø**¨±yÃkÞÅ$Ó  ?Õ,&  0Hs!€&ž!ÝÅ$Ót”±Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.\‚š,Z>Z2017-09-03 15:03:56.098ŸR ܬY/ÊpC:\Windows\System32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=5AA2D5D33566269FED9DCC167C904692DD133693ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch*¨**ø²:¦ËãÅ$Ó  ?Õ,&  0HÁ!€yÃkÞÅ$Ót”²Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.\2017-09-03 15:03:58.261ŸR ܬY/ÊpC:\Windows\System32\BackgroundTransferHost.exe.exø**ð³QóëÅ$Ó  ?Õ,&  0H¹!€:¦ËãÅ$Ót”³Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.T2017-09-03 15:04:07.261ŸR Õ¬Y¦TC:\Windows\System32\backgroundTaskHost.exeMwað**à´ó¶óëÅ$Ó  ?Õ,&  0H­!€QóëÅ$Ót”´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.H2017-09-03 15:04:20.948ŸR ˬY?Ã( C:\Windows\System32\SppExtComObj.Exe à**صp¾<†Æ$Ó  ?Õ,&  0H¡!€ó¶óëÅ$Ót”µMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.<2017-09-03 15:04:20.948ŸR ʬY0²0C:\Windows\System32\sppsvc.exeC:\Ø**ضÚTßÇ$Ó  ?Õ,&  0H£!€p¾<†Æ$Ót”¶Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:08:39.809ŸR ʬYœŸC:\Windows\System32\svchost.exeonØ**·ÌßÇ$Ó  ?Õ,&  0Hã!€ÚTßÇ$Ót”·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.Tl(& ZJ`2017-09-03 15:18:18.232ŸR :¬Yn¨ C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe21_ Global\UsGthrCtrlFltPipeMssGthrPipe21 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding58**0¸…03È$Ó  ?Õ,&  0H÷!€ÌßÇ$Ót”¸Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.P„(& ZJ`2017-09-03 15:18:18.338ŸR :¬Yš†øC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /EmbeddingWind0**ð¹Â÷03È$Ó  ?Õ,&  0H¹!€…03È$Ót”¹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.T2017-09-03 15:20:39.466ŸR :¬Yn¨ C:\Windows\System32\SearchProtocolHost.exe!ð**èºÐý}ðÈ$Ó  ?Õ,&  0Hµ!€Â÷03È$Ót”ºMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.P2017-09-03 15:20:39.466ŸR :¬Yš†øC:\Windows\System32\SearchFilterHost.exesè**p»Ë£ðÈ$Ó  ?Õ,&  0H9!€Ðý}ðÈ$Ót”»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.rì(, Z..2017-09-03 15:25:57.064ŸR ¬YEº ðC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=F31C17E0453F27BE85730E316840F11522DDEC3EŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEsysp**¨¼D{ñÈ$Ó  ?Õ,&  0Hu!€Ë£ðÈ$Ót”¼Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>n, Zrì2017-09-03 15:25:57.317ŸR ¬YྠP C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ¬YEº ðC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'A¨**@½ý”LòÈ$Ó  ?Õ,&  0H !€D{ñÈ$Ót”½Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=.rÊ..2017-09-03 15:25:58.060ŸR ¬YEº ðC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0LG8BCTAA9A7W3SXC0Y4.temp2017-09-03 11:07:06.6582017-09-03 15:25:57.967exe@**¾„bNòÈ$Ó  ?Õ,&  0H×!€ý”LòÈ$Ót”¾Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.r2017-09-03 15:26:00.092ŸR ¬YEº ðC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe32ŸR**Ø¿V¸LôÈ$Ó  ?Õ,&  0H£!€„bNòÈ$Ót”¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:26:00.107ŸR ¬YྠP C:\Windows\System32\conhost.exetiØ**pÀù.OôÈ$Ó  ?Õ,&  0H9!€V¸LôÈ$Ót”ÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.rì(, Z..2017-09-03 15:26:03.457ŸR ¬Yü C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=F31C17E0453F27BE85730E316840F11522DDEC3EŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEtp**¨Á%†ôÈ$Ó  ?Õ,&  0Hu!€ù.OôÈ$Ót”ÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>n, Zrì2017-09-03 15:26:03.475ŸR ¬Y% C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ¬Yü C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'¨¨**@Âhƒ“õÈ$Ó  ?Õ,&  0H !€%†ôÈ$Ót”ÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=.rÊ..2017-09-03 15:26:03.826ŸR ¬Yü C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXGIEB9290A6LW4EMZK6.temp2017-09-03 11:07:06.6582017-09-03 15:26:03.701App@**Ã{Þ•õÈ$Ó  ?Õ,&  0H×!€hƒ“õÈ$Ót”ÃMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.r2017-09-03 15:26:05.591ŸR ¬Yü C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeyste**ØÄ:\÷È$Ó  ?Õ,&  0H£!€{Þ•õÈ$Ót”ÄMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:26:05.591ŸR ¬Y% C:\Windows\System32\conhost.exe3 Ø**ÈÅš7µ÷È$Ó  ?Õ,&  0H“!€:\÷È$Ót”ÅMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>J(& Z>T2017-09-03 15:26:08.569ŸR ¬YY= 8C:\Windows\System32\consent.execonsent.exe 1012 670 000001F7BF7D00C0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs È**Æ“\øÈ$Ó  ?Õ,&  0HË!€š7µ÷È$Ót”ÆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>H(4 Z>€2017-09-03 15:26:09.172ŸR ¬YZ C:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0xf4C:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted.e**(Ç9×røÈ$Ó  ?Õ,&  0Hñ!€“\øÈ$Ót”ÇMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>¢(& Z>Z2017-09-03 15:26:10.256ŸR ¬YÒs ˜C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchndo(**ØȬ{øÈ$Ó  ?Õ,&  0H£!€9×røÈ$Ót”ÈMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:26:10.409ŸR ¬YY= 8C:\Windows\System32\consent.exeoØ**(Éh,~øÈ$Ó  ?Õ,&  0Hñ!€¬{øÈ$Ót”ÉMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>¢(& Z>Z2017-09-03 15:26:10.474ŸR ¬Y¶{ ìC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch(**ÀÊ”ö~øÈ$Ó  ?Õ,&  0H‹!€h,~øÈ$Ót”ÊMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.rB(,Z..2017-09-03 15:26:10.494ŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=F31C17E0453F27BE85730E316840F11522DDEC3EŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEalÀ**Ël«øÈ$Ó  ?Õ,&  0HÇ!€”ö~øÈ$Ót”ËMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.>n,ZrB2017-09-03 15:26:10.499ŸR ¬Y€ ÔC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'LUI.**@̲xgûÈ$Ó  ?Õ,&  0H !€l«øÈ$Ót”ÌMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü=.rÊ..2017-09-03 15:26:10.780ŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XE8XXSKJ5K834GSBYZTL.temp2017-09-03 11:07:06.6582017-09-03 15:26:10.733 t@**ØÍö }ûÈ$Ó  ?Õ,&  0H£!€²xgûÈ$Ót”ÍMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:26:15.374ŸR ¬YÒs ˜C:\Windows\System32\dllhost.exeroØ**ØÎÚëKÉ$Ó  ?Õ,&  0H£!€ö }ûÈ$Ót”ÎMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-09-03 15:26:15.514ŸR ¬Y¶{ ìC:\Windows\System32\dllhost.exe Ø**Ïß¼†É$Ó  ?Õ,&  0Hã!€ÚëKÉ$Ót”ÏMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.ÚP¾,Z>Z2017-09-03 15:26:31.936ŸR '¬Yâ ,C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchòZ**xлÉ$Ó  ?Õ,&  0H?!€ß¼†É$Ót”ÐMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.Ú2017-09-03 15:26:35.696ŸR '¬Yâ ,C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe2017x**èÑ/‡+É$Ó  ?Õ,&  0H³!€»É$Ót”ÑMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.ˆ²r,ZrB2017-09-03 15:26:55.104ŸR ?¬YaN tC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'è** Ò>u&É$Ó  ?Õ,&  0Hí!€/‡+É$Ót”ÒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.ˆ2017-09-03 15:27:01.946ŸR ?¬YaN tC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe **èÓÕZq'É$Ó  ?Õ,&  0H³!€>u&É$Ót”ÓMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.ˆ²r,ZrB2017-09-03 15:27:27.677ŸR _¬YÜ ÐC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'peè** Ô<•Y<É$Ó  ?Õ,&  0Hí!€ÕZq'É$Ót”ÔMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.ˆ2017-09-03 15:27:29.259ŸR _¬YÜ ÐC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe9 **ÀÕ*<É$Ó  ?Õ,&  0H‰!€<•Y<É$Ót”ÕMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.B*(8 Z>T2017-09-03 15:28:04.322ŸR „¬Yé‡ ÔC:\Windows\System32\taskhostw.exetaskhostw.exe networkC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsÀ**¨ÖÈ©<É$Ó  ?Õ,&  0Ho!€*<É$Ót”ÖMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.<<8 Z@@2017-09-03 15:28:04.574ŸR „¬Yùž C:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=9B5B7C08DA7CF36CA302C6E57CBC8BCFA5A69A9DŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeWind¨** ×ëµ<É$Ó  ?Õ,&  0Hm!€È©<É$Ót”×Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.B(, Z>T2017-09-03 15:28:04.860ŸR „¬YÞ¥   C:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsà **àØÁ€à<É$Ó  ?Õ,&  0H§!€ëµ<É$Ót”ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.B2017-09-03 15:28:04.931ŸR „¬YÞ¥   C:\Windows\System32\taskhostw.exes-Syà**àÙ|Mê<É$Ó  ?Õ,&  0H§!€Á€à<É$Ót”ÙMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.B2017-09-03 15:28:05.212ŸR „¬Yé‡ ÔC:\Windows\System32\taskhostw.exes-Syà**Úw7=É$Ó  ?Õ,&  0HÉ!€|Mê<É$Ót”ÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.H^(8 Z>Z2017-09-03 15:28:05.212ŸR …¬Yû² ”C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=6405859F261189D3DC15E6FA8040FC2CB23C6499ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchdow**pÛ‘"=É$Ó  ?Õ,&  0H7!€w7=É$Ót”ÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.8Î(8 ZH^2017-09-03 15:28:05.425ŸR …¬Yëº œC:\Windows\System32\slui.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=73111121-5638-40f6-bc11-f1d7b0d64300;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR …¬Yû² ”C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -EmbeddingHA1=p**ÀܾºH=É$Ó  ?Õ,&  0H‰!€‘"=É$Ót”ÜMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.B*(8 Z>T2017-09-03 15:28:05.626ŸR …¬Yà ŒC:\Windows\System32\taskhostw.exetaskhostw.exe networkC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsatiÀ**àÝH%L=É$Ó  ?Õ,&  0H§!€¾ºH=É$Ót”ÝMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.B2017-09-03 15:28:05.899ŸR …¬Yà ŒC:\Windows\System32\taskhostw.exeem32à**pÞG…=É$Ó  ?Õ,&  0H7!€H%L=É$Ót”ÞMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.8Î(8 ZH^2017-09-03 15:28:05.918ŸR …¬Y‡Ë ´C:\Windows\System32\slui.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=73111121-5638-40f6-bc11-f1d7b0d64300;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR …¬Yû² ”C:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding8:14p** ßµw—=É$Ó  ?Õ,&  0Hm!€G…=É$Ót”ßMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxS.B(, Z>T2017-09-03 15:28:06.298ŸR †¬YEÔ tC:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsn perational ¢åË.M2017-09-03 14:58:34.807ŸR ¬Yý³,em ElfChnkà*à*€(üþº\!Oaóè8=Î÷²›f?øm©MFºó&é s£** àŸ=É$Ó  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H!!€µw—=É$Ót”àMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .>R(& Z@@2017-09-03 15:28:06.418ŸR †¬Y‚æ œC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exendow **Èáyp±=É$Ó  ?Õ,&  0H“!€Ÿ=É$Ót”áMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(& Z>T2017-09-03 15:28:06.468ŸR †¬Y}ñ ¤C:\Windows\System32\consent.execonsent.exe 1012 308 000001F7C4FEF830C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsAÈ**Àâþ~õ=É$Ó  ?Õ,&  0H‰!€yp±=É$Ót”âMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å ¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .B2017-09-03 15:28:06.587ŸR †¬YEÔ tC:\Windows\System32\taskhostw.exeaskÀ**Øãuø=É$Ó  ?Õ,&  0H£!€þ~õ=É$Ót”ãMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:28:07.024ŸR †¬Y}ñ ¤C:\Windows\System32\consent.exeØ**(äcþ=É$Ó  ?Õ,&  0Hñ!€uø=É$Ót”äMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-09-03 15:28:07.056ŸR ‡¬Yí" ¼C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchyst(**(å¶~?É$Ó  ?Õ,&  0Hó!€cþ=É$Ót”åMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(,Z>Z2017-09-03 15:28:07.096ŸR ‡¬Yu' ˆC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{46B988E8-BEC2-401F-A1C5-16C694F26D3E}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchSe(**èæ0²ý@É$Ó  ?Õ,&  0H³!€¶~?É$Ót”æMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:28:08.893ŸR ˆ¬Yü< \C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'rvè**Øçbn#AÉ$Ó  ?Õ,&  0H£!€0²ý@É$Ót”çMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:28:12.118ŸR ‡¬Yí" ¼C:\Windows\System32\dllhost.exek®Ø**ØèÉ=2AÉ$Ó  ?Õ,&  0H£!€bn#AÉ$Ót”èMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:28:12.368ŸR ‡¬Yu' ˆC:\Windows\System32\dllhost.exeosØ** 齸ŽFÉ$Ó  ?Õ,&  0Hí!€É=2AÉ$Ót”éMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:28:12.462ŸR ˆ¬Yü< \C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exec **Ðê_?£IÉ$Ó  ?Õ,&  0H!€½¸ŽFÉ$Ót”êMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.8N(, Z>Z2017-09-03 15:28:21.464ŸR •¬Y{z ÄC:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchÐ**èëÐJÉ$Ó  ?Õ,&  0H³!€_?£IÉ$Ót”ëMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:28:26.632ŸR š¬YÒŠ tC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'è**ÐìÏÝàJÉ$Ó  ?Õ,&  0H!€ÐJÉ$Ót”ìMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .82017-09-03 15:28:28.602ŸR …¬Y‡Ë ´C:\Windows\System32\slui.exeyÐ** íÍèrLÉ$Ó  ?Õ,&  0Hí!€ÏÝàJÉ$Ót”íMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:28:28.712ŸR š¬YÒŠ tC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exeä **ÐîâwLÉ$Ó  ?Õ,&  0H!€ÍèrLÉ$Ót”îMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .82017-09-03 15:28:31.337ŸR •¬Y{z ÄC:\Windows\System32\slui.exeÐ**ÐïNÌRÉ$Ó  ?Õ,&  0H!€âwLÉ$Ót”ïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .82017-09-03 15:28:31.369ŸR …¬Yëº œC:\Windows\System32\slui.exe.Ð**èð^\ŸRÉ$Ó  ?Õ,&  0H¯!€NÌRÉ$Ót”ðMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ®r,ZrB2017-09-03 15:28:40.864ŸR ¨¬Y‹± |C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py buildC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'è** ñ©ÌÎTÉ$Ó  ?Õ,&  0Hí!€^\ŸRÉ$Ót”ñMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:28:41.696ŸR ¨¬Y‹± |C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exea **èòZYUÉ$Ó  ?Õ,&  0H¯!€©ÌÎTÉ$Ót”òMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ®r,ZrB2017-09-03 15:28:45.372ŸR ­¬YêÀ ØC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py buildC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'41.4è** óq¬êUÉ$Ó  ?Õ,&  0Hí!€ZYUÉ$Ót”óMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:28:45.728ŸR ­¬YêÀ ØC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe× **èô¼VÉ$Ó  ?Õ,&  0H¯!€q¬êUÉ$Ót”ôMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ®r,ZrB2017-09-03 15:28:47.230ŸR ¯¬Y„Í ÀC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py buildC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'N(è** õkÚ†[É$Ó  ?Õ,&  0Hí!€¼VÉ$Ót”õMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:28:47.572ŸR ¯¬Y„Í ÀC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe\ **èöÎk\É$Ó  ?Õ,&  0H³!€kÚ†[É$Ót”öMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:28:56.645ŸR ¸¬YœÚ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'6è** ÷ê `É$Ó  ?Õ,&  0Hí!€Îk\É$Ót”÷Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:28:58.134ŸR ¸¬YœÚ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe\ **àøÁ `É$Ó  ?Õ,&  0H­!€ê `É$Ót”øMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .H2017-09-03 15:29:04.212ŸR …¬Yû² ”C:\Windows\System32\SppExtComObj.Exe7à**Øù©¾«zÉ$Ó  ?Õ,&  0H¡!€Á `É$Ót”ùMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .<2017-09-03 15:29:04.212ŸR „¬Yùž C:\Windows\System32\sppsvc.exeicrØ**ú¬^´zÉ$Ó  ?Õ,&  0HY!€©¾«zÉ$Ót”úMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.\Ì(& ZZ^2017-09-03 15:29:48.869ŸR ì¬YpC:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivilegesC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B6EE18EAEE2C2308EAD96D622C6435E53F8E517CŸR –«Y’¬C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"Ap**pû²àÈzÉ$Ó  ?Õ,&  0H9!€¬^´zÉ$Ót”ûMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& Z\Ì2017-09-03 15:29:48.953ŸR ì¬YrøC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ì¬YpC:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges201p**(ü7ÉzÉ$Ó  ?Õ,&  0Hï!€²àÈzÉ$Ót”üMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.\à(8 Z\Ì2017-09-03 15:29:49.086ŸR í¬YT( C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges -ReinvokeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=B6EE18EAEE2C2308EAD96D622C6435E53F8E517CŸR ì¬YpC:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivilegessmon(**øýäÊzÉ$Ó  ?Õ,&  0HÁ!€7ÉzÉ$Ót”ýMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .\2017-09-03 15:29:49.087ŸR ì¬YpC:\Program Files\Windows Defender\MpCmdRun.exesofø**Øþ0ÂÍzÉ$Ó  ?Õ,&  0H£!€äÊzÉ$Ót”þMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:29:49.087ŸR ì¬YrøC:\Windows\System32\conhost.exethØ**ÿ\WÎzÉ$Ó  ?Õ,&  0HY!€0ÂÍzÉ$Ót”ÿMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.\Ì(& ZZ^2017-09-03 15:29:49.120ŸR í¬Yh"ŒC:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdateC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B6EE18EAEE2C2308EAD96D622C6435E53F8E517CŸR –«Y’¬C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe".**pƒ\©{É$Ó  ?Õ,&  0H9!€\WÎzÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& Z\Ì2017-09-03 15:29:49.123ŸR í¬Yê"øC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR í¬Yh"ŒC:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate :¬p**(ë|·~É$Ó  ?Õ,&  0Hñ!€ƒ\©{É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-09-03 15:29:50.558ŸR î¬Yá™X C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchows(**ØnÍÄ~É$Ó  ?Õ,&  0H£!€ë|·~É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:29:55.681ŸR î¬Yá™X C:\Windows\System32\dllhost.exe1CØ**0ЩÛÉ$Ó  ?Õ,&  0H÷!€nÍÄ~É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(, Z>Z2017-09-03 15:29:55.771ŸR ó¬YøEC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch32\W0**Øß»ö®É$Ó  ?Õ,&  0H£!€Ð©ÛÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:30:00.947ŸR ó¬YøEC:\Windows\System32\dllhost.exeØ**8¢¹]°É$Ó  ?Õ,&  0H!€ß»ö®É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.8Pr,ZrB2017-09-03 15:31:16.628ŸR D ¬YÌ8€C:\Windows\System32\PING.EXE"C:\Windows\system32\PING.EXE" baidu.comC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=43CD9903D65AAB27A1ECAC8D32BE751FE6706C5AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'€„bNò8**Ð-,~²É$Ó  ?Õ,&  0H!€¢¹]°É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .82017-09-03 15:31:18.978ŸR D ¬YÌ8€C:\Windows\System32\PING.EXEÐ**èéL—²É$Ó  ?Õ,&  0Hµ!€-,~²É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>l(& Z>T2017-09-03 15:31:22.530ŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServerC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=5C4A1DD5CACD81D5B8851073CB0EFA40E3280BCEŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsEè** Oãí²É$Ó  ?Õ,&  0Hg!€éL—²É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.|Žb& Z>l2017-09-03 15:31:22.693ŸR J ¬Yj» C:\Windows\SoftwareDistribution\Download\Install\MpSigStub.exe"C:\Windows\SoftwareDistribution\Download\Install\MpSigStub.exe" /StoreC:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=5B205FC1A25354726677A30B25D8E41B3EF69D84ŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServertx-m ** 6Û³É$Ó  ?Õ,&  0Há!€Oãí²É$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .|2017-09-03 15:31:23.275ŸR J ¬Yj» C:\Windows\SoftwareDistribution\Download\Install\MpSigStub.exehel** ”Ÿ ³É$Ó  ?Õ,&  0H[!€6Û³É$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.|‚b& Z>l2017-09-03 15:31:23.575ŸR K ¬YyÁdC:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=2E75F4464331EC4133B99FA5728C102EB6CFE27DŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServer**p Z‚t³É$Ó  ?Õ,&  0H9!€”Ÿ ³É$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B4t& Z|‚2017-09-03 15:31:23.612ŸR K ¬Y!ÄXC:\Windows\System32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe /stub 1.1.14146.0 /payload 1.1.14104.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exeC:\Windows\Temp\7A49F0BF-4136-4B26-B7C4-2DB8873CE22A-Sigs\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=5B205FC1A25354726677A30B25D8E41B3EF69D84ŸR K ¬YyÁdC:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe" monp** D¥´É$Ó  ?Õ,&  0H]!€Z‚t³É$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .Bª..2017-09-03 15:31:24.119ŸR K ¬Y!ÄXC:\Windows\system32\MpSigStub.exeC:\Windows\Temp\7B19E469-0E3F-48DC-A31E-8CE352FB1B1A1058.1d324c9b3200a2c\mpengine.dll2017-08-13 16:27:52.0002017-09-03 15:31:24.1190** OAR´É$Ó  ?Õ,&  0Há!€D¥´É$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .|2017-09-03 15:31:25.103ŸR K ¬YyÁdC:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exest.**ØÂ䇸É$Ó  ?Õ,&  0H£!€OAR´É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:31:25.572ŸR ¬YZ C:\Windows\System32\audiodg.exe:2Ø**ˆK#§¸É$Ó  ?Õ,&  0HS!€Â䇸É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x~b& Z>l2017-09-03 15:31:31.149ŸR S ¬YûÎ C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=71F855D35FF6889D03B17BC1F6D09A8D35A0AD48ŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServerchˆ**ð¬Ec¹É$Ó  ?Õ,&  0H¹!€K#§¸É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.Bª..2017-09-03 15:31:32.821ŸR K ¬Y!ÄXC:\Windows\system32\MpSigStub.exeC:\Windows\Temp\7B19E469-0E3F-48DC-A31E-8CE352FB1B1A1058.1d324c9b3200a2c\mpasbase.vdm2017-08-23 19:18:18.0002017-09-03 15:31:32.821ionð**ð~'»É$Ó  ?Õ,&  0H¹!€¬Ec¹É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.Bª..2017-09-03 15:31:34.078ŸR K ¬Y!ÄXC:\Windows\system32\MpSigStub.exeC:\Windows\Temp\7B19E469-0E3F-48DC-A31E-8CE352FB1B1A1058.1d324c9b3200a2c\mpavbase.vdm2017-08-23 19:18:22.0002017-09-03 15:31:34.078monð**ÒO»É$Ó  ?Õ,&  0HÝ!€~'»É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .x2017-09-03 15:31:36.915ŸR S ¬YûÎ C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exeE**˜ †T»É$Ó  ?Õ,&  0Ha!€ÒO»É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.zŠb& Z>l2017-09-03 15:31:37.320ŸR Y ¬YŒÕ  C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe"C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe" WD /qC:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=0BEA9CB12B70DFDB86DA4A53FA4FFC560F63C31FŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServer5K8˜**ð|lt»É$Ó  ?Õ,&  0H¹!€ †T»É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.Bª..2017-09-03 15:31:37.368ŸR K ¬Y!ÄXC:\Windows\system32\MpSigStub.exeC:\Windows\Temp\7B19E469-0E3F-48DC-A31E-8CE352FB1B1A1058.1d324c9b3200a2c\mpavdlta.vdm2017-09-03 10:25:32.0002017-09-03 15:31:37.368Îð**ðž¨OÈÉ$Ó  ?Õ,&  0H¹!€|lt»É$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.Bª..2017-09-03 15:31:37.572ŸR K ¬Y!ÄXC:\Windows\system32\MpSigStub.exeC:\Windows\Temp\7B19E469-0E3F-48DC-A31E-8CE352FB1B1A1058.1d324c9b3200a2c\mpasdlta.vdm2017-09-03 10:25:32.0002017-09-03 15:31:37.541936ð**àl÷XÈÉ$Ó  ?Õ,&  0H§!€ž¨OÈÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .B2017-09-03 15:31:59.103ŸR K ¬Y!ÄXC:\Windows\System32\MpSigStub.exeerNaà**äzeÈÉ$Ó  ?Õ,&  0Hß!€l÷XÈÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .z2017-09-03 15:31:59.196ŸR Y ¬YŒÕ  C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe\svc**˜ÎÃèÈÉ$Ó  ?Õ,&  0H_!€äzeÈÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.~„b& Z>l2017-09-03 15:31:59.269ŸR o ¬YQ tC:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=5FB317BD76D6E2B075D1AC82C6CD446325C46369ŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServer.104˜**x¿mæÉÉ$Ó  ?Õ,&  0H?!€ÎÃèÈÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B6t& Z~„2017-09-03 15:32:00.156ŸR p ¬YÒh C:\Windows\System32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe /stub 1.1.14146.0 /payload 2.1.13804.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exeC:\Windows\Temp\7A49F0BF-4136-4B26-B7C4-2DB8873CE22A-Sigs\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=5B205FC1A25354726677A30B25D8E41B3EF69D84ŸR o ¬YQ tC:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe" ¢åéx**ð äòÉÉ$Ó  ?Õ,&  0H»!€¿mæÉÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.B¬..2017-09-03 15:32:01.806ŸR p ¬YÒh C:\Windows\system32\MpSigStub.exeC:\Windows\Temp\8083436B-1BCB-4D96-B307-FBB25134BD47c68.1d324c9c8e82f9f\GapaEngine.dll2017-06-05 13:20:16.0002017-09-03 15:32:01.806msð**¾Ø ÊÉ$Ó  ?Õ,&  0Hã!€ äòÉÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .~2017-09-03 15:32:01.900ŸR o ¬YQ tC:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exeè**Ö=ÊÉ$Ó  ?Õ,&  0HW!€¾Ø ÊÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.z€b& Z>l2017-09-03 15:32:02.056ŸR r ¬Yà"`C:\Windows\SoftwareDistribution\Download\Install\NIS_Base.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Base.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=0928B6068776AD53E11B68EF470F528A94A2148CŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServerMicr**è=£ÊÉ$Ó  ?Õ,&  0Hµ!€Ö=ÊÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.B¦..2017-09-03 15:32:02.087ŸR p ¬YÒh C:\Windows\system32\MpSigStub.exeC:\Windows\Temp\8083436B-1BCB-4D96-B307-FBB25134BD47c68.1d324c9c8e82f9f\NISBase.vdm2017-06-05 14:19:02.0002017-09-03 15:32:02.087sè**ë@ÊÉ$Ó  ?Õ,&  0Hß!€=£ÊÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .z2017-09-03 15:32:02.103ŸR r ¬Yà"`C:\Windows\SoftwareDistribution\Download\Install\NIS_Base.exe2\sp**¨å"ÊÉ$Ó  ?Õ,&  0Hs!€ë@ÊÉ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆŽb& Z>l2017-09-03 15:32:02.184ŸR r ¬Yp(LC:\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=BA187F88AAC485034252CB25948D1D9D4A31BCD7ŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServerFE¨**H ÿ~ÊÉ$Ó  ?Õ,&  0H!€å"ÊÉ$Ót” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüs£.B..2017-09-03 15:32:02.212ŸR p ¬YÒh C:\Windows\system32\MpSigStub.exeC:\Windows\Temp\8083436B-1BCB-4D96-B307-FBB25134BD47c68.1d324c9c8e82f9f\117.0.0.0_to_117.8.0.0_NISfull.vdm_source_NISbase.vdm._p2017-08-10 17:33:16.0002017-09-03 15:32:02.212osofH**à!‰8ÊÉ$Ó  ?Õ,&  0H§!€ÿ~ÊÉ$Ót”!Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .B2017-09-03 15:32:02.806ŸR p ¬YÒh C:\Windows\System32\MpSigStub.exeosofà** "4ƒ¡ÊÉ$Ó  ?Õ,&  0Hí!€‰8ÊÉ$Ót”"Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .ˆ2017-09-03 15:32:02.822ŸR r ¬Yp(LC:\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exeä **Ø#çÀÊÉ$Ó  ?Õ,&  0H£!€4ƒ¡ÊÉ$Ót”#Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:32:03.041ŸR J ¬Y›´ˆ C:\Windows\System32\wuauclt.execrØ**ø$»tÁÊÉ$Ó  ?Õ,&  0HÁ!€çÀÊÉ$Ót”$Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .\2017-09-03 15:32:03.244ŸR í¬Yh"ŒC:\Program Files\Windows Defender\MpCmdRun.exeutoø**Ø%2ÌËÊÉ$Ó  ?Õ,&  0H£!€»tÁÊÉ$Ót”%Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:32:03.244ŸR í¬Yê"øC:\Windows\System32\conhost.exe53Ø**ø& "ÎÉ$Ó  ?Õ,&  0HÁ!€2ÌËÊÉ$Ót”&Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .\2017-09-03 15:32:03.322ŸR í¬YT( C:\Program Files\Windows Defender\MpCmdRun.exedowø**'ìŽ3ÎÉ$Ó  ?Õ,&  0H]!€ "ÎÉ$ÓtH'Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Îó].,ήÄÃÜνŠÀïiQÙ2ÿÿ&Aÿÿ%8=UtcTime Aÿÿ-8= ImageLoaded Aÿÿ#8=Hashes Aÿÿ#8=Signed Aÿÿ)8= Signature Aÿÿ58'=SignatureStatus .êZd 2017-09-03 15:32:08.884C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{525C0661-DD72-4E33-AFDC-032496046F72}\MpKsl14393097.sysSHA1=9B71F27CE0F62B628C92C163503C9F390AF730A7trueMicrosoft Windows Hardware Compatibility PublisherValid**è(cºfÎÉ$Ó  ?Õ,&  0H³!€ìŽ3ÎÉ$Ót”(Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>D(& ZZ^2017-09-03 15:32:09.037ŸR y ¬YF1ÜC:\Windows\System32\svchost.exe"c:\windows\system32\\svchost.exe"C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«Y’¬C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"s\è**Ø)èD.øÉ$Ó  ?Õ,&  0H£!€cºfÎÉ$Ót”)Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:32:09.368ŸR y ¬YF1ÜC:\Windows\System32\svchost.exeØ**Ø*n 1=Ê$Ó  ?Õ,&  0H£!€èD.øÉ$Ót”*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å .>2017-09-03 15:33:19.463ŸR †¬Y‚æ œC:\Windows\System32\svchost.exexeØ\Windows\sys  ?Õ,&  0Hed€n 1=Ê$Ót”+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.\svchost.exe -k netsvcsn 2017-09-03 15:35:15.250ŸR 3!¬Yýkü09-03 14:58:34.807ŸR ¬Yý³,em ElfChnk+l+l€èûØÿ;3|jŠóè8=Î÷²›f?øm©MFº;m&ékSE**0+øŠf@Ê$Ó  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0HK!€n 1=Ê$Ót”+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .ˆ²r,ZrB2017-09-03 15:35:15.250ŸR 3!¬YýküC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master' 300**,#9ŸÊ$Ó  ?Õ,&  0HÏ!€øŠf@Ê$Ót”,Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .ˆ2017-09-03 15:35:20.619ŸR 3!¬YýküC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exeA**è-ådlŸÊ$Ó  ?Õ,&  0H¯!€#9ŸÊ$Ót”-Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ®r,ZrB2017-09-03 15:37:59.717ŸR ×!¬Y0É\ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py buildC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'dowsè** .Ç_¢Ê$Ó  ?Õ,&  0Hí!€ådlŸÊ$Ót”.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:38:00.042ŸR ×!¬Y0É\ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exer **è/Ð5÷¢Ê$Ó  ?Õ,&  0H³!€Ç_¢Ê$Ót”/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:38:04.471ŸR Ü!¬YñÓXC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'\Aè** 0)!ÉÊ$Ó  ?Õ,&  0Hí!€Ð5÷¢Ê$Ót”0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:38:05.994ŸR Ü!¬YñÓXC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exes **1·´°úÊ$Ó  ?Õ,&  0HÇ!€)!ÉÊ$Ót”1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.TÊ®,Z>Z2017-09-03 15:39:10.827ŸR "¬Y C:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXe9cvj1thv1hmcw0cs98xm3r97tyzy2xs.mcaC:\Program Files\WindowsApps\Microsoft.WindowsStore_11707.1001.23.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLauncht.ex**È2‹uûÊ$Ó  ?Õ,&  0H“!€·´°úÊ$Ót”2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(& Z>T2017-09-03 15:40:33.166ŸR q"¬YÚH C:\Windows\System32\consent.execonsent.exe 1012 686 000001F7C35B12E0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs:2È**3Ö÷ûüÊ$Ó  ?Õ,&  0HÍ!€‹uûÊ$Ót”3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(4 Z>€2017-09-03 15:40:34.687ŸR r"¬Y&ðtC:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x448C:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictede**(4” ýÊ$Ó  ?Õ,&  0Hñ!€Ö÷ûüÊ$Ót”4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-09-03 15:40:37.021ŸR u"¬Ygœ C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchì(**Ø5¯ ýÊ$Ó  ?Õ,&  0H£!€” ýÊ$Ót”5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-09-03 15:40:37.115ŸR q"¬YÚH C:\Windows\System32\consent.exeèrLØ**(6ÞýÊ$Ó  ?Õ,&  0Hñ!€¯ ýÊ$Ót”6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-09-03 15:40:37.137ŸR u"¬Y` C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch(**Ð7ïÒªýÊ$Ó  ?Õ,&  0H›!€ÞýÊ$Ót”7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.rR(,Z..2017-09-03 15:40:37.223ŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master\scripts'C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=F31C17E0453F27BE85730E316840F11522DDEC3EŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEhoÐ**8ç¶ÿýÊ$Ó  ?Õ,&  0H×!€ïÒªýÊ$Ót”8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n,ZrR2017-09-03 15:40:38.169ŸR v"¬YŽ#äC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master\scripts'**à9Œ2ÿÊ$Ó  ?Õ,&  0H­!€ç¶ÿýÊ$Ót”9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüSEtlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .rÊ..2017-09-03 15:40:38.712ŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\62E0DWOGXER50A5IALQB.temp2017-09-03 11:07:06.6582017-09-03 15:40:38.712Sà**ð:¸Ë$Ó  ?Õ,&  0H¹!€Œ2ÿÊ$Ót”:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.T2017-09-03 15:40:40.712ŸR "¬Y C:\Windows\System32\backgroundTaskHost.exe ð**Ø;$&Ë$Ó  ?Õ,&  0H£!€¸Ë$Ót”;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-09-03 15:40:42.087ŸR u"¬Ygœ C:\Windows\System32\dllhost.exeofØ**Ø<ÓkÓË$Ó  ?Õ,&  0H£!€$&Ë$Ót”<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-09-03 15:40:42.259ŸR u"¬Y` C:\Windows\System32\dllhost.exen.Ø**=ˆõË$Ó  ?Õ,&  0Hã!€ÓkÓË$Ót”=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚP¾,Z>Z2017-09-03 15:40:50.146ŸR ‚"¬Y‚¼C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe"C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exe" -ServerName:App.AppX5fk30j505cah0hbcsx7j4sb0mpdk18qy.mcaC:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=785E4E35015FC4E74613E37E23606C093EB7DE1AŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch*Âà**x>èçÌ Ë$Ó  ?Õ,&  0H?!€ˆõË$Ót”>Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.Ú2017-09-03 15:40:53.744ŸR ‚"¬Y‚¼C:\Program Files\WindowsApps\ActiproSoftwareLLC.562882FEEB491_2.6.18.18_neutral__24pqs290vpjk0\CodeWriter.exehon-x**?VÒ Ë$Ó  ?Õ,&  0HË!€èçÌ Ë$Ót”?Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆª‚,ZrR2017-09-03 15:41:03.554ŸR "¬Yš  C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\evtx_dump.pyC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master\scripts'H** @™AË$Ó  ?Õ,&  0Hí!€VÒ Ë$Ót”@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:41:03.962ŸR "¬Yš  C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe **Aá\Ë$Ó  ?Õ,&  0HË!€™AË$Ót”AMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆª‚,ZrR2017-09-03 15:41:11.033ŸR —"¬Y’¥¨ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\evtx_dump.pyC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master\scripts'ti** Bð$^Ë$Ó  ?Õ,&  0Hí!€á\Ë$Ót”BMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:41:11.212ŸR —"¬Y’¥¨ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exeP **˜CïR Ë$Ó  ?Õ,&  0Ha!€ð$^Ë$Ót”CMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-09-03 15:41:24.611ŸR ¤"¬Yõ„ C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ä˜**¸D÷ŒÇË$Ó  ?Õ,&  0H!€ïR Ë$ÓtHDMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m].,ήÄÃÜνŠÀïiQÙ2ÿÿ&Aÿÿ%8=UtcTime Aÿÿ-8= ImageLoaded Aÿÿ#8=Hashes Aÿÿ#8=Signed Aÿÿ)8= Signature Aÿÿ58'=SignatureStatus .NZ" 2017-09-03 15:41:25.728C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValid**¸**E¿WXË$Ó  ?Õ,&  0HÝ!€÷ŒÇË$Ót”EMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.x2017-09-03 15:41:27.003ŸR ¤"¬Yõ„ C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe**˜FƒË$Ó  ?Õ,&  0H_!€¿WXË$Ót”FMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¦(& Zbf2017-09-03 15:41:32.990ŸR ¬"¬YH\( C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1024 768 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"˜**hG$—óË$Ó  ?Õ,&  0H5!€ƒË$Ót”GMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.NZ" 2017-09-03 15:41:33.270C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValidh**HË "Ë$Ó  ?Õ,&  0HÝ!€$—óË$Ót”HMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.x2017-09-03 15:41:34.004ŸR ¬"¬YH\( C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe**˜I&#"Ë$Ó  ?Õ,&  0Ha!€Ë "Ë$Ót”IMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-09-03 15:41:39.288ŸR ³"¬YͧœC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"-Wi˜**hJ4õ‹"Ë$Ó  ?Õ,&  0H5!€&#"Ë$Ót”JMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.NZ" 2017-09-03 15:41:39.317C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValid>h**Kåø'Ë$Ó  ?Õ,&  0HÝ!€4õ‹"Ë$Ót”KMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.x2017-09-03 15:41:40.036ŸR ³"¬YͧœC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe5**èLxu*Ë$Ó  ?Õ,&  0H³!€åø'Ë$Ót”LMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:41:49.139ŸR ½"¬YÅÒøC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'ECè** Mì]™Ë$Ó  ?Õ,&  0Hí!€xu*Ë$Ót”MMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:41:52.645ŸR ½"¬YÅÒøC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe **èNBXšË$Ó  ?Õ,&  0H³!€ì]™Ë$Ót”NMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:44:59.383ŸR {#¬Y£;äC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'è** O|„ÿ¿Ë$Ó  ?Õ,&  0Hí!€BXšË$Ót”OMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:45:01.020ŸR {#¬Y£;äC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exeu **˜P°ÀË$Ó  ?Õ,&  0H_!€|„ÿ¿Ë$Ót”PMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¦(& Zbf2017-09-03 15:46:04.183ŸR ¼#¬YBnÌC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1024 768 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"˜**hQóÔxÀË$Ó  ?Õ,&  0H5!€Â°ÀË$Ót”QMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.NZ" 2017-09-03 15:46:04.255C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValid"h**RíbÎË$Ó  ?Õ,&  0HÝ!€óÔxÀË$Ót”RMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.x2017-09-03 15:46:04.989ŸR ¼#¬YBnÌC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe**ØSÀoõÌ$Ó  ?Õ,&  0H£!€íbÎË$Ót”SMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-09-03 15:46:27.849ŸR r"¬Y&ðtC:\Windows\System32\audiodg.exeowØ**T.N!Ì$Ó  ?Õ,&  0Hã!€ÀoõÌ$Ót”TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.Tl(& ZJ`2017-09-03 15:48:18.347ŸR B$¬YL½ÀC:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe22_ Global\UsGthrCtrlFltPipeMssGthrPipe22 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /EmbeddingCr**0U‡u?Ì$Ó  ?Õ,&  0H÷!€.N!Ì$Ót”UMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.P„(& ZJ`2017-09-03 15:48:18.637ŸR B$¬YÄÔ C:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding0**VKŽy?Ì$Ó  ?Õ,&  0HÍ!€‡u?Ì$Ót”VMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(4 Z>€2017-09-03 15:49:38.036ŸR ’$¬YuìœC:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x2a8C:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedi**hWv?~?Ì$Ó  ?Õ,&  0H5!€KŽy?Ì$ÓtHWMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.NZ" 2017-09-03 15:49:38.052C:\Windows\System32\drivers\USBSTOR.SYSSHA1=FBB29E42A91A292A973BB619ED6484FFE1A95F6FtrueMicrosoft WindowsValidh**pXvaž?Ì$Ó  ?Õ,&  0H=!€v?~?Ì$ÓtHXMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.VZ" 2017-09-03 15:49:38.084C:\Windows\System32\drivers\EhStorClass.sysSHA1=99B876DC001F8D494FDDEBB650881FBDE5B52C22trueMicrosoft WindowsValid1p**pYêþ¡?Ì$Ó  ?Õ,&  0H9!€važ?Ì$ÓtHYMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.RZ" 2017-09-03 15:49:38.274C:\Windows\System32\drivers\WpdUpFltr.sysSHA1=70191B493B89161CDDFF3061DD3280518FB99024trueMicrosoft WindowsValid52Fp**ÈZê -dÌ$Ó  ?Õ,&  0H“!€êþ¡?Ì$Ót”ZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@(4 Z>~2017-09-03 15:49:38.313ŸR ’$¬Yÿ¤C:\Windows\System32\WUDFHost.exe"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-b8bd7d15-3d39-434b-8252-edebef087ca6 -SystemEventPortName:HostProcess-dd9d1b17-8147-40bd-89a2-044cee7b3540 -IoCancelEventPortName:HostProcess-0c8928df-a65a-4f06-91b9-0124d1abb87e -NonStateChangingEventPortName:HostProcess-0d593dbb-656e-4db4-9cfe-e18a16844256 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:8915b2db-2167-4df7-9b44-4e7929fa3ac5 -DeviceGroupId:WpdFsGroupC:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=94669BB1920F8191342956A23318822B3224A7F3ŸR –«YýDC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestrictedHÈ**ð[>³-dÌ$Ó  ?Õ,&  0H¹!€ê -dÌ$Ót”[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.T2017-09-03 15:50:39.641ŸR B$¬YL½ÀC:\Windows\System32\SearchProtocolHost.exe24cð**è\~n]îÌ$Ó  ?Õ,&  0Hµ!€>³-dÌ$Ót”\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.P2017-09-03 15:50:39.641ŸR B$¬YÄÔ C:\Windows\System32\SearchFilterHost.exe.è**€]9'iîÌ$Ó  ?Õ,&  0HG!€~n]îÌ$Ót”]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@ð(, Z>Z2017-09-03 15:54:31.486ŸR ·%¬YVå\C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=00349303C7185FAF3E86DF9009281CC8D5B35954ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchndow€**Ø^ƒèáîÌ$Ó  ?Õ,&  0H¥!€9'iîÌ$Ót”^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.@2017-09-03 15:54:31.563ŸR ·%¬YVå\C:\Windows\System32\rundll32.exewØ**0_ô òÌ$Ó  ?Õ,&  0H÷!€ƒèáîÌ$Ót”_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(, Z>Z2017-09-03 15:54:32.354ŸR ¸%¬YÝ8C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 0**Ø`atSôÌ$Ó  ?Õ,&  0H£!€ô òÌ$Ót”`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-09-03 15:54:37.658ŸR ¸%¬YÝ8C:\Windows\System32\dllhost.exeigØ**˜aþ>[ôÌ$Ó  ?Õ,&  0Ha!€atSôÌ$Ót”aMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-09-03 15:54:41.489ŸR Á%¬Y‘w$C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"¬.˜**hbAÀÊôÌ$Ó  ?Õ,&  0H5!€þ>[ôÌ$Ót”bMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Î;m.NZ" 2017-09-03 15:54:41.532C:\Windows\System32\drivers\monitor.sysSHA1=1519DFF558D2C4443109F506486E55E2F590A77AtrueMicrosoft WindowsValidyh**cNw,Í$Ó  ?Õ,&  0HÝ!€AÀÊôÌ$Ót”cMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.x2017-09-03 15:54:42.267ŸR Á%¬Y‘w$C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exew**hd3~†Í$Ó  ?Õ,&  0H1!€Nw,Í$Ót”dMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.š$x,Z>Z2017-09-03 15:55:33.141ŸR õ%¬Y†?ÔC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=16724B3A89F8DB14BB049D90905305F4A113DA0BŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchh h**øeЋ@Í$Ó  ?Õ,&  0HÅ!€3~†Í$Ót”eMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.Lb(, Z>Z2017-09-03 15:55:33.829ŸR õ%¬YùN$C:\Windows\System32\browser_broker.exeC:\Windows\system32\browser_broker.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=924816C92DEFE67F72C35C445DCE931AE40F44ABŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchø**Øfù7üÍ$Ó  ?Õ,&  0H£!€Ð‹@Í$Ót”fMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-09-03 15:55:35.048ŸR ’$¬YuìœC:\Windows\System32\audiodg.exewaØ**pgTZÍÍ$Ó  ?Õ,&  0H;!€ù7üÍ$Ót”gMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:55:36.280ŸR ø%¬YÙŸTC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2.p**phèß1Í$Ó  ?Õ,&  0H;!€TZÍÍ$Ót”hMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:55:37.653ŸR ù%¬Y_µC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch09p**piíÍ$Ó  ?Õ,&  0H;!€èß1Í$Ót”iMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:55:43.344ŸR ÿ%¬YOÔC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchtip**pj£b÷Í$Ó  ?Õ,&  0H;!€íÍ$Ót”jMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:55:46.249ŸR &¬Y¯DHC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchp**pk€ÑfÍ$Ó  ?Õ,&  0H;!€£b÷Í$Ót”kMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:55:47.984ŸR &¬YÎd4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:p**ðlk˜èÍ$Ó  ?Õ,&  0H¹!€€ÑfÍ$Ót”lMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.F\(, Z>Z2017-09-03 15:55:48.585ŸR &¬YL C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=D45A12637D1E25020AFB92E8BD301DE869C49799ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch4:5ð34.807ŸR ¬Yý³,em ElfChnkm±m±€8ú ýGøèeqã3óè8=Î÷²›f?øm©MFº&ék#**p m‚šÅÍ$Ó  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H!€k˜èÍ$Ót”mMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .>¢(, Z>Z2017-09-03 15:55:49.573ŸR &¬YvšÔ C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch p **Àn|¦þÍ$Ó  ?Õ,&  0H‰!€‚šÅÍ$Ót”nMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>R(& Z@@2017-09-03 15:55:51.014ŸR &¬Yµ¬¸C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe8À**¸o´º»#Í$Ó  ?Õ,&  0H…!€|¦þÍ$Ót”oMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-09-03 15:55:54.750ŸR &¬YvšÔ C:\Windows\System32\dllhost.exe7¸**¸pLÍï#Í$Ó  ?Õ,&  0H…!€´º»#Í$Ót”pMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü#tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .JÊ..2017-09-03 15:56:01.018ŸR p–«YH„C:\Windows\System32\RuntimeBroker.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TKULWEBA8W6NLG7PSI2E.temp2017-09-03 15:55:46.0322017-09-03 15:56:01.010¸**qfc$Í$Ó  ?Õ,&  0Há!€LÍï#Í$Ót”qMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü#.JÊ..2017-09-03 15:56:01.363ŸR p–«YH„C:\Windows\System32\RuntimeBroker.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9DZR8SEENQHHFPZXMZDM.temp2017-09-03 15:55:46.0322017-09-03 15:56:01.354**r‡¾h$Í$Ó  ?Õ,&  0Há!€fc$Í$Ót”rMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü#.JÊ..2017-09-03 15:56:02.014ŸR p–«YH„C:\Windows\System32\RuntimeBroker.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OAB3PDEYXGU60LIG2SSK.temp2017-09-03 15:55:46.0322017-09-03 15:56:01.545ers**s‡¿¡2Í$Ó  ?Õ,&  0Há!€‡¾h$Í$Ót”sMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü#.JÊ..2017-09-03 15:56:02.147ŸR p–«YH„C:\Windows\System32\RuntimeBroker.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X1HNL5BRX39FHZQCC9LF.temp2017-09-03 15:55:46.0322017-09-03 15:56:02.115Dat**pt|¨Õ3Í$Ó  ?Õ,&  0H;!€‡¿¡2Í$Ót”tMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:56:26.020ŸR *&¬Y.cÌ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchp**àu× è3Í$Ó  ?Õ,&  0H©!€|¨Õ3Í$Ót”uMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.T,(, ZJ`2017-09-03 15:56:28.038ŸR ,&¬Y žC:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3579330227-2094980565-878306854-100023_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3579330227-2094980565-878306854-100023 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /EmbeddingC01à**0v¾±+?Í$Ó  ?Õ,&  0H÷!€× è3Í$Ót”vMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.P„(& ZJ`2017-09-03 15:56:28.127ŸR ,&¬Ym£lC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /EmbeddingD0D90**8wÁ¯@Í$Ó  ?Õ,&  0H!€¾±+?Í$Ót”wMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ž2017-09-03 15:56:47.039ŸR &¬Y¯DHC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe3 8**8x4n¶DÍ$Ó  ?Õ,&  0H!€Á¯@Í$Ót”xMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ž2017-09-03 15:56:48.492ŸR &¬YÎd4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exeC:8**8yìiEÍ$Ó  ?Õ,&  0H!€4n¶DÍ$Ót”yMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ž2017-09-03 15:56:56.352ŸR ù%¬Y_µC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe.e8**pzpFPÍ$Ó  ?Õ,&  0H;!€ìiEÍ$Ót”zMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ž*x,Z>Z2017-09-03 15:56:57.762ŸR I&¬YuøC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=81D0336119BB4EB977700625110157F447F7EC45ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchp**è{ò$VÍ$Ó  ?Õ,&  0H³!€pFPÍ$Ót”{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:57:15.752ŸR [&¬Yr” C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'1¶è** |ìÅ ]Í$Ó  ?Õ,&  0Hí!€ò$VÍ$Ót”|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:57:25.586ŸR [&¬Yr” C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exei **è}¦siÍ$Ó  ?Õ,&  0H³!€ìÅ ]Í$Ót”}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:57:37.318ŸR q&¬Y,²ˆC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'crè**8~É‹íkÍ$Ó  ?Õ,&  0H!€¦siÍ$Ót”~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ž2017-09-03 15:57:57.976ŸR I&¬YuøC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exeSy8** \ÿ¼uÍ$Ó  ?Õ,&  0Hí!€É‹íkÍ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:58:02.148ŸR q&¬Y,²ˆC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe_ **è€ÇWÀvÍ$Ó  ?Õ,&  0H¯!€\ÿ¼uÍ$Ót”€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ÚÈ,Z>Z2017-09-03 15:58:18.605ŸR š&¬Yg£8C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe" -ServerName:Hx.IPC.ServerC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=E1833044E4A0847B2308DAB7C64F240FDAD15C46ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch€èçÌ è**x‘2÷}Í$Ó  ?Õ,&  0H?!€ÇWÀvÍ$Ót”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.Ú2017-09-03 15:58:20.305ŸR š&¬Yg£8C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe:\tox**è‚»«Q‚Í$Ó  ?Õ,&  0H³!€‘2÷}Í$Ót”‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆ²r,ZrB2017-09-03 15:58:32.411ŸR ¨&¬YèÁœ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\setup.py installC:\tool-test\tools\python-evtx-master\python-evtx-master\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master'owè**ðƒùkR‚Í$Ó  ?Õ,&  0H¹!€»«Q‚Í$Ót”ƒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.T2017-09-03 15:58:39.711ŸR ,&¬Y žC:\Windows\System32\SearchProtocolHost.exeon3ð**è„Ÿ߇Í$Ó  ?Õ,&  0Hµ!€ùkR‚Í$Ót”„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.P2017-09-03 15:58:39.711ŸR ,&¬Ym£lC:\Windows\System32\SearchFilterHost.exelè** … [–Í$Ó  ?Õ,&  0Hí!€Ÿ߇Í$Ót”…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:58:49.023ŸR ¨&¬YèÁœ C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exei **†ÈÉ™Í$Ó  ?Õ,&  0HË!€ [–Í$Ót”†Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ˆª‚,ZrR2017-09-03 15:59:14.007ŸR Ò&¬Y(¤ tC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe"C:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe" .\evtx_dump.pyC:\tool-test\tools\python-evtx-master\python-evtx-master\scripts\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=90D2AA98E8DA6AC969FCE1D33A13F9477DFEDC6AŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\python-evtx-master\python-evtx-master\scripts'*** ‡š52ÊKÓ  ?Õ,&  0Hí!€ÈÉ™Í$Ót”‡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.ˆ2017-09-03 15:59:17.790ŸR Ò&¬Y(¤ tC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\python.exe **¨ˆ5GQ2ÊKÓ  ?Õ,&  0Hu!€š52ÊKÓt”ˆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B((& Z>T2017-10-23 06:43:12.135ŸR €íY©Á ÄC:\Windows\System32\taskhostw.exetaskhostw.exe SYSTEMC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs¨**‰]Q2ÊKÓ  ?Õ,&  0HÍ!€5GQ2ÊKÓt”‰Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(4 Z>€2017-10-23 06:43:12.179ŸR €íYÞà  C:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x43cC:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedo**ÀŠìlQ2ÊKÓ  ?Õ,&  0H‹!€]Q2ÊKÓt”ŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@@(& Z>T2017-10-23 06:43:12.321ŸR €íYÉ ˜C:\Windows\System32\wsqmcons.exeC:\Windows\System32\wsqmcons.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=82DC2B3BF8531B22A66085948B29E455325DE40DŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsowÀ**°‹9(m2ÊKÓ  ?Õ,&  0Hw!€ìlQ2ÊKÓt”‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B$(, Z>T2017-10-23 06:43:12.334ŸR €íYÊ üC:\Windows\System32\taskhostw.exetaskhostw.exe USERC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsVMwa°**ÈŒ¿9m2ÊKÓ  ?Õ,&  0H“!€9(m2ÊKÓt”ŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.<L(& Z>T2017-10-23 06:43:12.366ŸR €íYÈÊ €C:\Windows\System32\wermgr.exeC:\Windows\system32\wermgr.exe -uploadC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=A9D344AE382FFAF64D7977F632D98A422B4E09FDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsdoÈ**Èkm2ÊKÓ  ?Õ,&  0H!€¿9m2ÊKÓt”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.BB(& Z>T2017-10-23 06:43:12.376ŸR €íYÄÊ ¤ C:\Windows\System32\SIHClient.exeC:\Windows\System32\sihclient.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=9A22B9D37790503092776DCD9FBB6256E7F4ABE9ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs¿LõiûÈ**ÐŽštm2ÊKÓ  ?Õ,&  0H›!€km2ÊKÓt”ŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.HH(& Z>T2017-10-23 06:43:12.459ŸR €íYWÍ ÈC:\Windows\System32\DeviceCensus.exeC:\Windows\system32\devicecensus.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=71511BAADE2D09E9056F29CB0073F0F20302C3C8ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcss\Ð**h ~m2ÊKÓ  ?Õ,&  0H1!€štm2ÊKÓt”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.6º(& Zbf2017-10-23 06:43:12.492ŸR €íY°Í `C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=524AB0A40594D2B5F620F542E87A45472979A416ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"monh**àVŠm2ÊKÓ  ?Õ,&  0H§!€ ~m2ÊKÓt”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.NN(& Z>T2017-10-23 06:43:12.465ŸR €íYŠÍ ´ C:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\compattelrunner.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3867D423D27724449AE74844D94ADF5868DCFE6EŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1.0\à**Ø‘Êl2ÊKÓ  ?Õ,&  0H£!€VŠm2ÊKÓt”‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.BV(& Z>T2017-10-23 06:43:12.513ŸR €íYØÍ ( C:\Windows\System32\UsoClient.exeC:\Windows\system32\usoclient.exe StartScanC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B6C9C3EE38398E668B79ABDD8882F9226D9EDDA0ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsowØ**È’s…2ÊKÓ  ?Õ,&  0H‘!€Êl2ÊKÓt”’Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.4R(& Z>T2017-10-23 06:43:12.628ŸR €íYÐ ÔC:\Windows\System32\sc.exeC:\Windows\system32\sc.exe start wuauservC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=42FCA92DC9E2D48BD385DB4125EAFBBF5A00AEC2ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcse"È**¸“Bܨ2ÊKÓ  ?Õ,&  0H…!€s…2ÊKÓt”“Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.B&(8 Z>T2017-10-23 06:43:12.692ŸR €íY>Õ LC:\Windows\System32\taskhostw.exetaskhostw.exe timerC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs¸**8”"¢Ü2ÊKÓ  ?Õ,&  0H!€Bܨ2ÊKÓt””Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& Z6º2017-10-23 06:43:12.705ŸR €íY–Õ ÜC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €íY°Í `C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""03 8**• ÷3ÊKÓ  ?Õ,&  0HÝ!€"¢Ü2ÊKÓt”•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ff(, Z>T2017-10-23 06:43:13.218ŸR íY½å ŒC:\Windows\System32\AppHostRegistrationVerifier.exeC:\Windows\system32\AppHostRegistrationVerifier.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3093F2971134612B2FA7816A500B03F40531170DŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcse**€–oD™3ÊKÓ  ?Õ,&  0HI!€ ÷3ÊKÓt”–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.œœ(, Z>T2017-10-23 06:43:14.304ŸR ‚íYl!C:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=D2DDFB82F684D6DBD1076F91E0EFB05BEFD14374ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsexe€**(—×)4ÊKÓ  ?Õ,&  0Hñ!€oD™3ÊKÓt”—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@H(& Z6º2017-10-23 06:43:14.481ŸR ‚íY!èC:\Windows\System32\ipconfig.exeC:\Windows\system32\ipconfig /renewC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=751267A96267DFCC5E0C5CDFE81DDD9B5A013FFCŸR €íY°Í `C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""**(**ؘãÐL5ÊKÓ  ?Õ,&  0H¥!€×)4ÊKÓt”˜Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.@2017-10-23 06:43:15.436ŸR ’$¬Yÿ¤C:\Windows\System32\WUDFHost.exe=Ø**È™ dM5ÊKÓ  ?Õ,&  0H•!€ãÐL5ÊKÓt”™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& ZBB2017-10-23 06:43:17.357ŸR …íYŽd!ÜC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €íYÄÊ ¤ C:\Windows\System32\SIHClient.exeC:\Windows\System32\sihclient.exeyÈ**ØšgèM5ÊKÓ  ?Õ,&  0H¡!€ dM5ÊKÓt”šMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& ZHH2017-10-23 06:43:17.361ŸR …íYîd!lC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €íYWÍ ÈC:\Windows\System32\DeviceCensus.exeC:\Windows\system32\devicecensus.exeDFHØ**à›+ãO5ÊKÓ  ?Õ,&  0H­!€gèM5ÊKÓt”›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& ZNN2017-10-23 06:43:17.364ŸR …íYNe!dC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €íYŠÍ ´ C:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\compattelrunner.exe:à**àœ7S5ÊKÓ  ?Õ,&  0H©!€+ãO5ÊKÓt”œMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& ZBV2017-10-23 06:43:17.368ŸR …íY®e!ì C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €íYØÍ ( C:\Windows\System32\UsoClient.exeC:\Windows\system32\usoclient.exe StartScanà**ÐC©Ò5ÊKÓ  ?Õ,&  0H—!€7S5ÊKÓt”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n& Z4R2017-10-23 06:43:17.398ŸR …íY7f!XC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €íYÐ ÔC:\Windows\System32\sc.exeC:\Windows\system32\sc.exe start wuauservtem3Ð**О»5Ó5ÊKÓ  ?Õ,&  0H™!€C©Ò5ÊKÓt”žMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.42017-10-23 06:43:18.224ŸR €íYÐ ÔC:\Windows\System32\sc.exe\SyÐ**ØŸjC'6ÊKÓ  ?Õ,&  0H£!€»5Ó5ÊKÓt”ŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-10-23 06:43:18.224ŸR …íY7f!XC:\Windows\System32\conhost.exe@Ø**p êL„6ÊKÓ  ?Õ,&  0H7!€jC'6ÊKÓt” Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.NÔ(& ZNN2017-10-23 06:43:18.784ŸR †íY©™!ÄC:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:KrPwdIZx6EeiVDsu.1C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3867D423D27724449AE74844D94ADF5868DCFE6EŸR €íYŠÍ ´ C:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\compattelrunner.exe\sysp**Сt„È6ÊKÓ  ?Õ,&  0H!€êL„6ÊKÓt”¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.RR(& Z@@2017-10-23 06:43:19.346ŸR ‡íYS¬!ÈC:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=AA1D92CB47CE65E2D4D476560D6F0F452C530295ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe9Ð**Ø¢³ïÈ6ÊKÓ  ?Õ,&  0H¥!€t„È6ÊKÓt”¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.@2017-10-23 06:43:19.833ŸR ‚íY!èC:\Windows\System32\ipconfig.exe0Ø**УåšÉ6ÊKÓ  ?Õ,&  0H›!€³ïÈ6ÊKÓt”£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.62017-10-23 06:43:19.833ŸR €íY°Í `C:\Windows\System32\cmd.exeWiÐ**ؤ|­+7ÊKÓ  ?Õ,&  0H£!€åšÉ6ÊKÓt”¤Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-10-23 06:43:19.849ŸR €íY–Õ ÜC:\Windows\System32\conhost.exeØ**¥'£_7ÊKÓ  ?Õ,&  0HÝ!€|­+7ÊKÓt”¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ff(, Z>T2017-10-23 06:43:20.333ŸR ˆíY‚»!€ C:\Windows\System32\LocationNotificationWindows.exeC:\Windows\System32\LocationNotificationWindows.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=1A76E79B7E812B51AA80FC54C586FC1E8966F063ŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsd**ئ„7ÊKÓ  ?Õ,&  0H¥!€'£_7ÊKÓt”¦Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.@2017-10-23 06:43:20.834ŸR €íYÉ ˜C:\Windows\System32\wsqmcons.exePØ**¨§Íx›8ÊKÓ  ?Õ,&  0Ho!€„7ÊKÓt”§Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.<<8 Z@@2017-10-23 06:43:20.576ŸR ˆíYÀ!ÜC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=9B5B7C08DA7CF36CA302C6E57CBC8BCFA5A69A9DŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeser_¨**à¨Lëœ8ÊKÓ  ?Õ,&  0H§!€Íx›8ÊKÓt”¨Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.B2017-10-23 06:43:22.896ŸR €íYØÍ ( C:\Windows\System32\UsoClient.exeà**Ø©;Í¢8ÊKÓ  ?Õ,&  0H£!€Lëœ8ÊKÓt”©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.>2017-10-23 06:43:22.912ŸR …íY®e!ì C:\Windows\System32\conhost.exeØ**Hª?ô9ÊKÓ  ?Õ,&  0H!€;Í¢8ÊKÓt”ªMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ö (& Z>Z2017-10-23 06:43:22.849ŸR ŠíYwæ!ØC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=C7373181F4DF4FD8A5123B35F7A903327F6F2E36ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch*H**૱n\9ÊKÓ  ?Õ,&  0H§!€?ô9ÊKÓt”«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.B2017-10-23 06:43:23.599ŸR €íY>Õ LC:\Windows\System32\taskhostw.exetemAà**¬aù`9ÊKÓ  ?Õ,&  0HÉ!€±n\9ÊKÓt”¬Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.H^(8 Z>Z2017-10-23 06:43:23.944ŸR ‹íYÇ"tC:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=6405859F261189D3DC15E6FA8040FC2CB23C6499ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch!**ð­¿ÛÀ9ÊKÓ  ?Õ,&  0H»!€aù`9ÊKÓt”­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.J`(& Z>Z2017-10-23 06:43:24.132ŸR ŒíYB "dC:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3BE30552A136411E225932C6B4FDAC6454F1898EŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchSHð**`®ÊÑÔ;ÊKÓ  ?Õ,&  0H+!€¿ÛÀ9ÊKÓt”®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.8Â(8 ZH^2017-10-23 06:43:24.816ŸR ŒíYU'"„ C:\Windows\System32\slui.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=73111121-5638-40f6-bc11-f1d7b0d64300;NotificationInterval=1440;Trigger=TimerEventC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR ‹íYÇ"tC:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embeddingon`**ø¯m©j<ÊKÓ  ?Õ,&  0HÅ!€ÊÑÔ;ÊKÓt”¯Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü#.>º..2017-10-23 06:43:28.302ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml2017-09-03 05:51:51.3682017-10-23 06:43:22.896sø**à°6†<ÊKÓ  ?Õ,&  0H§!€m©j<ÊKÓt”°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åk.B2017-10-23 06:43:29.287ŸR €íY©Á ÄC:\Windows\System32\taskhostw.exeMicrà**è±yê¶<ÊKÓ  ?Õ,&  0H¯!€6†<ÊKÓt”±Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü#.B ..2017-10-23 06:43:29.521ŸR €íYÄÊ ¤ C:\Windows\System32\sihclient.exeC:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab2015-06-09 18:26:05.0002017-10-23 06:43:29.177 Àè.F\  ?Õ,&  0H58€yê¶<ÊKÓt”²Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.82\DESKTOP-DF4ULDE\MNWPRO2017-10-23 06:43:29.779ŸR ‘íY¡Ä"C:\Windows\System32\slui.exe9799ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch4:5ð34.807ŸR ¬Yý³,em ElfChnk²²€ðúÀýÈ?ó“xîóè8=Î÷²›f?øm©MFº&é ãë£åûò**° ²C. =ÊKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0HÏ!€yê¶<ÊKÓt”²Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .8Î(8 ZH^2017-10-23 06:43:29.779ŸR ‘íY¡Ä"C:\Windows\System32\slui.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=73111121-5638-40f6-bc11-f1d7b0d64300;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR ‹íYÇ"tC:\Windows\System32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.exe -Embedding° **À³·l!=ÊKÓ  ?Õ,&  0H‰!€C. =ÊKÓt”³Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .B2017-10-23 06:43:30.478ŸR €íYÄÊ ¤ C:\Windows\System32\SIHClient.exeÀ**Ø´îöê=ÊKÓ  ?Õ,&  0H£!€·l!=ÊKÓt”´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:43:30.494ŸR …íYŽd!ÜC:\Windows\System32\conhost.exegeØ**µ!zp>ÊKÓ  ?Õ,&  0HË!€îöê=ÊKÓt”µMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.f2017-10-23 06:43:31.806ŸR íY½å ŒC:\Windows\System32\AppHostRegistrationVerifier.exeÿ€** ¶žïÔ@ÊKÓ  ?Õ,&  0Hi!€!zp>ÊKÓt”¶Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒtlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .>º..2017-10-23 06:43:32.682ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml2017-09-03 05:51:51.3682017-09-03 05:51:51.368. **·0{@AÊKÓ  ?Õ,&  0HË!€žïÔ@ÊKÓt”·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.f2017-10-23 06:43:36.697ŸR ˆíY‚»!€ C:\Windows\System32\LocationNotificationWindows.exe**иÏÛAÊKÓ  ?Õ,&  0H!€0{@AÊKÓt”¸Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.8N(, Z>Z2017-10-23 06:43:37.408ŸR ™íYTJ#ìC:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=4090DACB56DBFF6A5306E13FF5FA157ECA4714A9ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchûÐ**è¹µ´ÜAÊKÓ  ?Õ,&  0H¯!€ÏÛAÊKÓt”¹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.HX(, ZHH2017-10-23 06:43:38.427ŸR šíY‘Z# C:\Windows\System32\DeviceCensus.exeC:\Windows\system32\devicecensus.exe UserCxtC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=71511BAADE2D09E9056F29CB0073F0F20302C3C8ŸR €íYWÍ ÈC:\Windows\System32\DeviceCensus.exeC:\Windows\system32\devicecensus.exeŸR *&¬è**𺱮ñAÊKÓ  ?Õ,&  0H·!€µ´ÜAÊKÓt”ºMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n, ZHX2017-10-23 06:43:38.432ŸR šíY[#4C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR šíY‘Z# C:\Windows\System32\DeviceCensus.exeC:\Windows\system32\devicecensus.exe UserCxtð**»S{øAÊKÓ  ?Õ,&  0H×!€±®ñAÊKÓt”»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.r2017-10-23 06:43:38.556ŸR u"¬Yù ŒC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\Sea**ؼ³IsBÊKÓ  ?Õ,&  0H£!€S{øAÊKÓt”¼Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:43:38.572ŸR v"¬YŽ#äC:\Windows\System32\conhost.exe" Ø**à½&ÍtBÊKÓ  ?Õ,&  0H­!€³IsBÊKÓt”½Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.H2017-10-23 06:43:39.416ŸR šíY‘Z# C:\Windows\System32\DeviceCensus.exeAà**ؾR±BÊKÓ  ?Õ,&  0H£!€&ÍtBÊKÓt”¾Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:43:39.416ŸR šíY[#4C:\Windows\System32\conhost.exeofØ**¿õd·BÊKÓ  ?Õ,&  0H×!€R±BÊKÓt”¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.r2017-10-23 06:43:39.822ŸR ¬Yè~ ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMed**ØÀj ÖBÊKÓ  ?Õ,&  0H£!€õd·BÊKÓt”ÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:43:39.822ŸR ¬Y€ ÔC:\Windows\System32\conhost.execrØ**àÁÆš×BÊKÓ  ?Õ,&  0H­!€j ÖBÊKÓt”ÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.H2017-10-23 06:43:40.056ŸR €íYWÍ ÈC:\Windows\System32\DeviceCensus.exeà**ØÂTQëCÊKÓ  ?Õ,&  0H£!€Æš×BÊKÓt”ÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:43:40.072ŸR …íYîd!lC:\Windows\System32\conhost.exeexØ**àÃ;FÊKÓ  ?Õ,&  0H«!€TQëCÊKÓt”ÃMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.> ..2017-10-23 06:43:41.869ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\sls.cab2017-10-11 11:11:07.0002017-06-06 16:52:07.000à**èĵwGÊKÓ  ?Õ,&  0H³!€;FÊKÓt”ÄMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.>¨..2017-10-23 06:43:45.556ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp2017-04-20 16:11:08.0002017-10-23 06:43:44.306.mè**ÐÅU ”GÊKÓ  ?Õ,&  0H!€µwGÊKÓt”ÅMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.82017-10-23 06:43:47.994ŸR ŒíYU'"„ C:\Windows\System32\slui.exeDÐ**ÐÆ…£•GÊKÓ  ?Õ,&  0H!€U ”GÊKÓt”ÆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.82017-10-23 06:43:47.994ŸR ™íYTJ#ìC:\Windows\System32\slui.exe¬Ð**ÐÇÏó•GÊKÓ  ?Õ,&  0H!€…£•GÊKÓt”ÇMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.82017-10-23 06:43:48.025ŸR ‘íY¡Ä"C:\Windows\System32\slui.exeUÐ**ØÈósºHÊKÓ  ?Õ,&  0H¡!€Ïó•GÊKÓt”ÈMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.<2017-10-23 06:43:48.025ŸR €íYÈÊ €C:\Windows\System32\wermgr.exeterØ** É–ž†JÊKÓ  ?Õ,&  0Hg!€ósºHÊKÓt”ÉMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.>\..2017-10-23 06:43:49.948ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Users\MNWPRO\AppData\Local\Temp\BIT50AD.tmp2017-09-11 17:52:45.0002017-10-23 06:43:48.119on.e **8Ê<«JÊKÓ  ?Õ,&  0Hÿ!€–ž†JÊKÓt”ÊMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.š2017-10-23 06:43:52.948ŸR õ%¬Y†?ÔC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exeon368**(ËÍÉJÊKÓ  ?Õ,&  0Hñ!€<«JÊKÓt”ËMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-10-23 06:43:53.127ŸR ©íYx$tC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchH(**8ÌÐJÊKÓ  ?Õ,&  0H!€ÍÉJÊKÓt”ÌMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.ž2017-10-23 06:43:53.400ŸR ø%¬YÙŸTC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exeH8**èÍ—-ÐJÊKÓ  ?Õ,&  0H±!€ÐJÊKÓt”ÍMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.L2017-10-23 06:43:53.416ŸR õ%¬YùN$C:\Windows\System32\browser_broker.exeè**8ΗøJÊKÓ  ?Õ,&  0H!€—-ÐJÊKÓt”ÎMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.ž2017-10-23 06:43:53.431ŸR *&¬Y.cÌ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe__8**8Ï~€§LÊKÓ  ?Õ,&  0H!€—øJÊKÓt”ÏMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.ž2017-10-23 06:43:53.698ŸR ÿ%¬YOÔC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exeŸR8**˜ÐE¨”MÊKÓ  ?Õ,&  0Ha!€~€§LÊKÓt”ÐMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-10-23 06:43:56.508ŸR ¬íY]¨$ C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"pW*Âà˜**ÑLëæMÊKÓ  ?Õ,&  0HÝ!€E¨”MÊKÓt”ÑMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.x2017-10-23 06:43:58.087ŸR ¬íY]¨$ C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe **ØÒˆfGWÊKÓ  ?Õ,&  0H£!€LëæMÊKÓt”ÒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:43:58.619ŸR ©íYx$tC:\Windows\System32\dllhost.exe32Ø**ÈÓöÎâfÊKÓ  ?Õ,&  0H“!€ˆfGWÊKÓt”ÓMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(& Z>T2017-10-23 06:44:14.359ŸR ¾íYáo&üC:\Windows\System32\consent.execonsent.exe 1012 608 000001F7C1B52940C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsofÈ**àÔšIòfÊKÓ  ?Õ,&  0H­!€öÎâfÊKÓt”ÔMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.H2017-10-23 06:44:40.536ŸR ‹íYÇ"tC:\Windows\System32\SppExtComObj.Exerà**ØÕ\=¦mÊKÓ  ?Õ,&  0H¡!€šIòfÊKÓt”ÕMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.<2017-10-23 06:44:40.645ŸR ˆíYÀ!ÜC:\Windows\System32\sppsvc.exe0Ø** Ö¸‰QxÊKÓ  ?Õ,&  0Hg!€\=¦mÊKÓt”ÖMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.>\..2017-10-23 06:44:51.880ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Users\MNWPRO\AppData\Local\Temp\BIT603E.tmp2017-09-11 17:52:46.0002017-10-23 06:43:52.103ol-t **à×ë*¬zÊKÓ  ?Õ,&  0H«!€¸‰QxÊKÓt”×Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.F2017-10-23 06:45:09.786ŸR &¬YL C:\Windows\System32\smartscreen.exeweà**XØ_\I{ÊKÓ  ?Õ,&  0H!!€ë*¬zÊKÓt”ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@F(& ZNÔ2017-10-23 06:45:13.741ŸR ùíYÁe'¬ C:\Windows\System32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry -cV KrPwdIZx6EeiVDsu.1.1 -SendFullTelemetry -ThrottleUtc -TelemetryAllowedC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=00349303C7185FAF3E86DF9009281CC8D5B35954ŸR †íY©™!ÄC:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:KrPwdIZx6EeiVDsu.1exeX**¨Ù@wé|ÊKÓ  ?Õ,&  0Ho!€_\I{ÊKÓt”ÙMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.<<8 Z@@2017-10-23 06:45:14.569ŸR úíY‘s'8C:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=9B5B7C08DA7CF36CA302C6E57CBC8BCFA5A69A9DŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exesyst¨**`Útdº~ÊKÓ  ?Õ,&  0H-!€@wé|ÊKÓt”ÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.¨Î(, Zœœ2017-10-23 06:45:17.374ŸR ýíYä(ÀC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /restartC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=5CFB090D19D296355F6FF361C39848446C39AF9AŸR ‚íYl!C:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exey`**ÐÛ±4ö†ÊKÓ  ?Õ,&  0H!€tdº~ÊKÓt”ÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>T(8 Z@@2017-10-23 06:45:20.544ŸR íYí((8 C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k smphostC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeeÐ**8Ü·v‡ÊKÓ  ?Õ,&  0H!€±4ö†ÊKÓt”ÜMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.œ2017-10-23 06:45:34.348ŸR ‚íYl!C:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exes\s8**݇ÊKÓ  ?Õ,&  0HÉ!€·v‡ÊKÓt”ÝMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.@„(, Z@F2017-10-23 06:45:34.550ŸR íYe¦(C:\Windows\System32\rundll32.exerundll32 C:\Windows\system32\GeneralTel.dll,RunInUserCxt KrPwdIZx6EeiVDsu.1.1.2 {0C30A4C5-7339-40E6-BEAB-6AF30FCE5FEB} {24AB1C50-9217-6739-D3C0-3EFC828EC8C9} IsAdmin WAMAccountCount OfficeAddInsC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=00349303C7185FAF3E86DF9009281CC8D5B35954ŸR ùíYÁe'¬ C:\Windows\System32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry -cV KrPwdIZx6EeiVDsu.1.1 -SendFullTelemetry -ThrottleUtc -TelemetryAllowed€km2**ØÞP}h‰ÊKÓ  ?Õ,&  0H¥!€‡ÊKÓt”ÞMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.@2017-10-23 06:45:35.270ŸR íYe¦(C:\Windows\System32\rundll32.exenØ**(ß„€£‰ÊKÓ  ?Õ,&  0Hñ!€P}h‰ÊKÓt”ßMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-10-23 06:45:38.457ŸR íY(Ñ(xC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch"C:(**Øàˤ‰ÊKÓ  ?Õ,&  0H£!€„€£‰ÊKÓt”àMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:45:38.833ŸR ¾íYáo&üC:\Windows\System32\consent.exe,&Ø**(áƒæ­‰ÊKÓ  ?Õ,&  0Hñ!€Ã‹¤‰ÊKÓt”áMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-10-23 06:45:38.858ŸR íYŒÚ(X C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchH(**€â™ÈŠÊKÓ  ?Õ,&  0HM!€ƒæ­‰ÊKÓt”âMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.r(,Z..2017-10-23 06:45:38.918ŸR íYªÝ(C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\Sysmon'C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=F31C17E0453F27BE85730E316840F11522DDEC3EŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEn€**ÀãGtq‹ÊKÓ  ?Õ,&  0H‰!€™ÈŠÊKÓt”ãMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>n,Zr2017-10-23 06:45:40.770ŸR íY)ã(¤C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR íYªÝ(C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\Sysmon'skhÀ**@äÙ}ŒÊKÓ  ?Õ,&  0H !€Gtq‹ÊKÓt”äMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.rÊ..2017-10-23 06:45:41.879ŸR íYªÝ(C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E7AD6LJYEZ4DVG98641H.temp2017-09-03 11:07:06.6582017-10-23 06:45:41.84823 @**Øå–ä©ŒÊKÓ  ?Õ,&  0H£!€Ù}ŒÊKÓt”åMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:45:43.630ŸR íY(Ñ(xC:\Windows\System32\dllhost.exed.Ø**Øæ^J•ÊKÓ  ?Õ,&  0H£!€–ä©ŒÊKÓt”æMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:45:43.927ŸR íYŒÚ(X C:\Windows\System32\dllhost.exeSyØ**Ðçëì,–ÊKÓ  ?Õ,&  0H›!€^J•ÊKÓt”çMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.¨þ(, Z¨Î2017-10-23 06:45:58.396ŸR &íY×/)¨C:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /restart /peruser /childprocess C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=5CFB090D19D296355F6FF361C39848446C39AF9AŸR ýíYä(ÀC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update /restartivÐ**Øè{oéÊKÓ  ?Õ,&  0H¡!€ëì,–ÊKÓt”èMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.<2017-10-23 06:45:59.880ŸR úíY‘s'8C:\Windows\System32\sppsvc.exe?Õ,&Ø**éÃÂêÊKÓ  ?Õ,&  0H[!€{oéÊKÓt”éMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.ö2017-10-23 06:46:12.864ŸR ŠíYwæ!ØC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exeS**ðêô}¨ÊKÓ  ?Õ,&  0H·!€ÃÂêÊKÓt”êMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.R2017-10-23 06:46:12.864ŸR ‡íYS¬!ÈC:\Windows\servicing\TrustedInstaller.exeð**àëY¼ëªÊKÓ  ?Õ,&  0H§!€ô}¨ÊKÓt”ëMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.B2017-10-23 06:46:30.599ŸR €íYÊ üC:\Windows\System32\taskhostw.exe€ãÐL5à**0ì®Ì?®ÊKÓ  ?Õ,&  0H÷!€Y¼ëªÊKÓt”ìMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(, Z>Z2017-10-23 06:46:34.691ŸR JíYXe*C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchMicr0**Øíþ±³ÊKÓ  ?Õ,&  0H£!€®Ì?®ÊKÓt”íMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:46:40.271ŸR JíYXe*C:\Windows\System32\dllhost.exeSØ**ðîÃýDµÊKÓ  ?Õ,&  0H·!€þ±³ÊKÓt”îMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.>¬..2017-10-23 06:46:49.411ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\6c94699609ce39feff1076bfb74e6d85\BlockMap.xml2012-12-31 08:00:00.0002017-10-23 06:46:48.521\Sysð**¨ï‚ý¶ÊKÓ  ?Õ,&  0Ho!€ÃýDµÊKÓt”ïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.<<8 Z@@2017-10-23 06:46:52.053ŸR \íY÷ +ü C:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=9B5B7C08DA7CF36CA302C6E57CBC8BCFA5A69A9DŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe3:17¨**(ðo%¹ÊKÓ  ?Õ,&  0Hñ!€‚ý¶ÊKÓt”ðMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-10-23 06:46:54.940ŸR ^íY![+t C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch\co(**ÐñsOˆ¹ÊKÓ  ?Õ,&  0H!€o%¹ÊKÓt”ñMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.RR(& Z@@2017-10-23 06:46:58.336ŸR bíY›Á+ÔC:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=AA1D92CB47CE65E2D4D476560D6F0F452C530295ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeÐ**Hò»7kºÊKÓ  ?Õ,&  0H!€sOˆ¹ÊKÓt”òMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ö (& Z>Z2017-10-23 06:46:59.202ŸR cíYÌ+x C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=C7373181F4DF4FD8A5123B35F7A903327F6F2E36ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch74H**ØówR½ÊKÓ  ?Õ,&  0H£!€»7kºÊKÓt”óMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:47:00.677ŸR ^íY![+t C:\Windows\System32\dllhost.exeofØ**ðôq#™½ÊKÓ  ?Õ,&  0H·!€wR½ÊKÓt”ôMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.>¬..2017-10-23 06:47:05.552ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\b3c5576a728f0d27ace1f53678ee010b\BlockMap.xml2012-12-31 08:00:00.0002017-10-23 06:47:05.333³ïÈ6ð**ðõ.;ÀÊKÓ  ?Õ,&  0H·!€q#™½ÊKÓt”õMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüƒ.>¬..2017-10-23 06:47:06.020ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\6ebbaab48a77a481a3e3dc349e6b7002\BlockMap.xml2012-12-31 08:00:00.0002017-10-23 06:47:05.989onalð**(öI‹8ÃÊKÓ  ?Õ,&  0Hñ!€.;ÀÊKÓt”öMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>¢(& Z>Z2017-10-23 06:47:10.442ŸR níY i,PC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch333(**Ø÷ƒ=¬ÈÊKÓ  ?Õ,&  0H£!€I‹8ÃÊKÓt”÷Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.>2017-10-23 06:47:15.458ŸR níY i,PC:\Windows\System32\dllhost.exendØ**ØøÄÆ1éÊKÓ  ?Õ,&  0H¡!€ƒ=¬ÈÊKÓt”øMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.<2017-10-23 06:47:24.598ŸR \íY÷ +ü C:\Windows\System32\sppsvc.exe@Ø**ÐùRCçéÊKÓ  ?Õ,&  0H—!€ÄÆ1éÊKÓt”ùMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.HR4,Zr2017-10-23 06:48:19.106ŸR ³íY×È.<C:\tool-test\tools\Sysmon\Sysmon.exe"C:\tool-test\tools\Sysmon\Sysmon.exe" -uC:\tool-test\tools\Sysmon\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=199F1773123652D7E958468C280426AFF6E16D78ŸR íYªÝ(C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools\Sysmon'Ð**ú9ÕOêÊKÓ  ?Õ,&  0HÍ!€RCçéÊKÓt”úMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.ZR4,ZHR2017-10-23 06:48:20.354ŸR ´íYÕ.\C:\Users\MNWPRO\AppData\Local\Temp\Sysmon.exe"C:\tool-test\tools\Sysmon\Sysmon.exe" -uC:\tool-test\tools\Sysmon\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=849B8DFAF9159AFDC14D514B2243D4D5BA2FF9A4ŸR ³íY×È.<C:\tool-test\tools\Sysmon\Sysmon.exe"C:\tool-test\tools\Sysmon\Sysmon.exe" -uû**ˆûŠ| DÌKÓ  ?Õ,&  0HQ!€9ÕOêÊKÓtœûMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ^¼T ã^¼TïÀ ÛËíd±JÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ!8=State Aÿÿ%8=Version Aÿÿ18#= SchemaVersion .2017-10-23 06:48:21.034Stopped6.033.30_noˆ**xü²ŒFÌKÓ  ?Õ,& 0H/!€Š| DÌKÓÀ  ü³>XÕÕÝÞ|&æY4èMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational æ†t3£åæ†t3àŽ¹õÝö Sf¸.†¾ÿÿ²Aÿÿ%8=UtcTime Aÿÿ18#= Configuration AÿÿA83=ConfigurationFileHash .2017-10-23 06:58:01.088PÊZR@ÙZRx**¨ýy)FÌKÓ  ?Õ,&  0Ho!€²ŒFÌKÓ„ØýMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ^¼T ã.2017-10-23 06:58:04.541Started6.103.400¨**€þ§¶*FÌKÓ  ?Õ,&  0HM!€y)FÌKÓ„ØþMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.**(& Z@@2017-10-23 06:58:01.154ŸR ù’íYdJ„C:\Windows\Sysmon.exeC:\Windows\Sysmon.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=1C426D2D4EA362EBDB9CE5BF10513E28CB3305E3ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exec€**ðÿãðAGÌKÓ  ?Õ,&  0H»!€§¶*FÌKÓ„ØÿMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.J`(& Z>Z2017-10-23 06:58:04.167ŸR ü’íY4+J„C:\Windows\System32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=D37238D871B19224C4067130B23FBE5332263B88ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch Dð**ؽ,MÌKÓ  ?Õ,&  0H¥!€ãðAGÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åë.@2017-10-23 06:58:06.447ŸR õ’íYUãIÀ C:\tool-test\Sysmon\Sysmon64.exe"Ø**8# ÌMÌKÓ  ?Õ,&  0H!€½,MÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oûòƒcß#O*ú6†öE6^OÊ^”ÿÿˆAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .>4   2017-10-23 06:58:15.154ŸR –«Y… ˆC:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp192.168.62.128D192.168.62.254Cl8**ø» ÌMÌKÓ  ?Õ,&  0HÃ!€# ÌMÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oûò.>8  :6 $ 2017-10-23 06:58:15.167ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfe80:0:0:0:252c:71a:8319:6430DESKTOP-DF4ULDE.localdomain‚Êff02:0:0:0:0:0:1:3ëllmnrofø**Ð( ÌMÌKÓ  ?Õ,&  0H—!€» ÌMÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oûò.>8  B & 2017-10-23 06:58:15.168ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpc0a8:3e80:0:0:28c1:ab7b:8f86:ffff‚Êe000:fc:0:0:0:0:0:0ëllmnrÐMicrosoft-  ?Õ,&  0Hmo€( ÌMÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oûò.>4e9799ŸR –«Y¨¡äC:\Wind2017-10-23 06:58:15.181ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp ElfChnkTT€8üøþW—«Íe»Ô|óè8=Î÷²›f?øm©MFº&›«!³Ì**8 v ÌMÌKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0HQ!€( ÌMÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oécß#O*ú6†öE6^OÊ^Âÿÿ¶D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .>4   2017-10-23 06:58:15.181ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp127.0.0.1DESKTOP-DF4ULDEûÉ239.255.255.250lssdp-9838 **°JJôMÌKÓ  ?Õ,&  0Hw!€v ÌMÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>4   2017-10-23 06:58:15.181ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp239.255.255.250lssdp127.0.0.1DESKTOP-DF4ULDEûÉ°**øç«GNÌKÓ  ?Õ,&  0HÁ!€JJôMÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>8  B N 2017-10-23 06:58:16.508ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpc0a8:3e80:0:0:28c1:ab7b:8f86:ffffŠîc0a8:3e02:7524:d301:60af:c715:7524:d3015domainHø**ЬGNÌKÓ  ?Õ,&  0H›!€ç«GNÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>8  6  2017-10-23 06:58:16.510ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudp192.168.62.128DESKTOP-DF4ULDE.localdomainŠî192.168.62.25domain3 Ð**°ŒÁ\NÌKÓ  ?Õ,&  0Hw!€¬GNÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé. &  6 2017-10-23 06:58:16.515ŸR ä•«YëSystemNT AUTHORITY\SYSTEMudp192.168.62.128DESKTOP-DF4ULDE.localdomain‰netbios-ns192.168.62.254‰netbios-nsmage°** …¸·NÌKÓ  ?Õ,&  0HÙ!€ŒÁ\NÌKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›À5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .@J(,Zrø2017-10-23 06:58:18.038ŸR “íYù¦Jä C:\tool-test\Sysmon\Sysmon64.exe"C:\tool-test\Sysmon\Sysmon64.exe" -sC:\tool-test\Sysmon\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=1C426D2D4EA362EBDB9CE5BF10513E28CB3305E3ŸR Ò’íYf9IìC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\Sysmon'ws\**Ð ÷Ò¹NÌKÓ  ?Õ,&  0H›!€…¸·NÌKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .T2017-10-23 06:58:18.979ŸR =’íY@DüC:\Windows\System32\SearchProtocolHost.exem3Ð**è uçNÌKÓ  ?Õ,&  0Hµ!€÷Ò¹NÌKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.P2017-10-23 06:58:18.994ŸR =’íYÊBDàC:\Windows\System32\SearchFilterHost.exeAè**¨ \ÙÓTÌKÓ  ?Õ,&  0Hs!€uçNÌKÓ„T Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé. &  6 2017-10-23 06:58:18.224ŸR ä•«YëSystemNT AUTHORITY\SYSTEMudp192.168.62.128DESKTOP-DF4ULDE.localdomain‰netbios-ns192.168.62.2‰netbios-ns41¨**è ²“ëVÌKÓ  ?Õ,&  0Hµ!€\ÙÓTÌKÓ„T Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>4  < $2017-10-23 06:58:27.945ŸR –«Y… ˆC:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfe80:0:0:0:2076:3774:3f57:c17f"dhcpv6-clientff02:0:0:0:0:0:1:2#dhcpv6-serverBè**؆© {ÌKÓ  ?Õ,&  0H¥!€²“ëVÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.@2017-10-23 06:58:32.745ŸR “íYù¦Jä C:\tool-test\Sysmon\Sysmon64.exeBØ**è[L§{ÌKÓ  ?Õ,&  0H³!€†© {ÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.N2017-10-23 06:59:33.495ŸR †íY©™!ÄC:\Windows\System32\CompatTelRunner.exeè**XÈðC~ÌKÓ  ?Õ,&  0H%!€[L§{ÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.NÂ(& ZNN2017-10-23 06:59:34.364ŸR V“íYbnLìC:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -f:UpdateAvStatus -cv:KrPwdIZx6EeiVDsu.3C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=3867D423D27724449AE74844D94ADF5868DCFE6EŸR €íYŠÍ ´ C:\Windows\System32\CompatTelRunner.exeC:\Windows\system32\compattelrunner.exeX**è„9³~ÌKÓ  ?Õ,&  0H³!€ÈðC~ÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.N2017-10-23 06:59:38.760ŸR V“íYbnLìC:\Windows\System32\CompatTelRunner.exeè**ÐÕ{[€ÌKÓ  ?Õ,&  0H™!€„9³~ÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.N&  6  2017-10-23 06:59:37.542ŸR V“íYbnLìC:\Windows\System32\CompatTelRunner.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain|Ç40.77.226.249»httpsîd!Ð**è.r€ÌKÓ  ?Õ,&  0H³!€Õ{[€ÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.N2017-10-23 06:59:42.260ŸR €íYŠÍ ´ C:\Windows\System32\CompatTelRunner.exeôè**Øë–†ÌKÓ  ?Õ,&  0H£!€.r€ÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 06:59:42.416ŸR …íYNe!dC:\Windows\System32\conhost.exeØ**P”‘–†ÌKÓ  ?Õ,&  0H!€ë–†ÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.\,  6 h 2017-10-23 06:59:50.590ŸR S–«Yy€C:\Windows\System32\InputMethod\CHS\ChsIME.exeDESKTOP-DF4ULDE\MNWPROtcp192.168.62.128DESKTOP-DF4ULDE.localdomain}Ç23.209.177.248a23-209-177-248.deploy.static.akamaitechnologies.com»httpst-WiP**0¼ ™ÌKÓ  ?Õ,&  0Hý!€”‘–†ÌKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.\,  6 P 2017-10-23 06:59:51.274ŸR S–«Yy€C:\Windows\System32\InputMethod\CHS\ChsIME.exeDESKTOP-DF4ULDE\MNWPROtcp192.168.62.128DESKTOP-DF4ULDE.localdomain~Ç52.175.112.24blob.hk2prdstr06a.store.core.windows.net»https0**Ø_u+ßÌKÓ  ?Õ,&  0H£!€¼ ™ÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:00:23.682ŸR íYí((8 C:\Windows\System32\svchost.exeØ**Ø…Í<çÌKÓ  ?Õ,&  0H£!€_u+ßÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:02:21.339ŸR Î’íYZIÈC:\Windows\System32\audiodg.exeØ**èe TèÌKÓ  ?Õ,&  0H¯!€…Í<çÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.ÚÈ,Z>Z2017-10-23 07:02:34.876ŸR ”íYæQC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe" -ServerName:Hx.IPC.ServerC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=E1833044E4A0847B2308DAB7C64F240FDAD15C46ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3:53è**à»(TèÌKÓ  ?Õ,&  0H§!€e TèÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.B2017-10-23 07:02:36.683ŸR h’íYâG, C:\Windows\System32\MpSigStub.exe¨¡äà**ù(öÌKÓ  ?Õ,&  0Hß!€»(TèÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.z2017-10-23 07:02:36.699ŸR u’íYzïG@C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe3:53**xE.¹/ÍKÓ  ?Õ,&  0H?!€ù(öÌKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.Ú2017-10-23 07:02:59.902ŸR ”íYæQC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exetem3x**àM‰º5ÍKÓ  ?Õ,&  0H­!€E.¹/ÍKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.@V(, Z>Z2017-10-23 07:04:36.479ŸR „”íYmsWÀC:\Windows\System32\OpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=B20196FEBD32CE54AB4A14D6549E3732C2D46521ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3à**0‹ 9ÍKÓ  ?Õ,&  0H÷!€M‰º5ÍKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>¢(, Z>Z2017-10-23 07:04:46.527ŸR Ž”íY׉X|C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch7F420**ؤWw=ÍKÓ  ?Õ,&  0H£!€‹ 9ÍKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:04:52.121ŸR Ž”íY׉X|C:\Windows\System32\dllhost.execrØ**0 \Z“@ÍKÓ  ?Õ,&  0H÷!€¤Ww=ÍKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>¢(, Z>Z2017-10-23 07:04:59.547ŸR ›”íYóÂXôC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchosof0**Ø!5¤JFÍKÓ  ?Õ,&  0H£!€\Z“@ÍKÓ„Ø!Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:05:04.761ŸR ›”íYóÂXôC:\Windows\System32\dllhost.exeB0Ø**"5¢FÍKÓ  ?Õ,&  0HÏ!€5¤JFÍKÓ„Ø"Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>|(, Z@V2017-10-23 07:05:14.334ŸR ª”íY èX„C:\Windows\System32\notepad.exe"C:\Windows\system32\NOTEPAD.EXE" C:\tool-test\Sysmon\Eula.txtC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=2302BA58181F3C4E1E44A47A7D214EE9397CF2BAŸR „”íYmsWÀC:\Windows\System32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embeddingonal**Ø#zË1SÍKÓ  ?Õ,&  0H¥!€5¢FÍKÓ„Ø#Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.@2017-10-23 07:05:14.902ŸR „”íYmsWÀC:\Windows\System32\OpenWith.exelØ**è$ªiÍKÓ  ?Õ,&  0H¯!€zË1SÍKÓ„Ø$Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.J2017-10-23 07:05:35.996ŸR ŒíYB "dC:\Windows\System32\wbem\WmiPrvSE.exe«!è**(%l¯iÍKÓ  ?Õ,&  0Hñ!€ªiÍKÓ„Ø%Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.B¤(& Z>T2017-10-23 07:06:12.492ŸR ä”íYç5Z€C:\Windows\System32\taskhostw.exetaskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly -NoLocationC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsV K(**à&‡~ïÁÍKÓ  ?Õ,&  0H§!€l¯iÍKÓ„Ø&Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.B2017-10-23 07:06:13.730ŸR ä”íYç5Z€C:\Windows\System32\taskhostw.exetem3à**P'œýÁÍKÓ  ?Õ,&  0H!€‡~ïÁÍKÓ„Ø'Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.@æ@, Z..2017-10-23 07:08:41.789ŸR y•íY¤^blC:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\System32\winevt\Logs\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=967A4A8C5AE701AB8EA069F45764EB09AF4A89D2ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEes.P**Ø(˜ÇÍKÓ  ?Õ,&  0H¥!€œýÁÍKÓ„Ø(Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.@2017-10-23 07:08:41.870ŸR y•íY¤^blC:\Windows\System32\eventvwr.exe:Ø**È)¸ÉÊÍKÓ  ?Õ,&  0H“!€˜ÇÍKÓ„Ø)Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>J(& Z>T2017-10-23 07:08:51.246ŸR ƒ•íYÉ€b¤C:\Windows\System32\consent.execonsent.exe 1012 476 000001F7C02E0440C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsÈ**(*QfËÍKÓ  ?Õ,&  0Hñ!€¸ÉÊÍKÓ„Ø*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>¢(& Z>Z2017-10-23 07:08:56.640ŸR ˆ•íYŸ•b|C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch€±4ö†(**Ø+p}ËÍKÓ  ?Õ,&  0H£!€QfËÍKÓ„Ø+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:08:57.168ŸR ƒ•íYÉ€b¤C:\Windows\System32\consent.exe,&Ø**(,ºt*ËÍKÓ  ?Õ,&  0Hñ!€p}ËÍKÓ„Ø,Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>¢(& Z>Z2017-10-23 07:08:57.181ŸR ‰•íYƒœb8C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC8D(**0-VÛËÍKÓ  ?Õ,&  0Hý!€ºt*ËÍKÓ„Ø-Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.@æ(,Z..2017-10-23 07:08:57.279ŸR ‰•íYŸbÀC:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=967A4A8C5AE701AB8EA069F45764EB09AF4A89D2ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXE0**0.éEóËÍKÓ  ?Õ,&  0H÷!€VÛËÍKÓ„Ø.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.6"(,Z@ä2017-10-23 07:08:57.720ŸR ‰•íY¼ÀbÜC:\Windows\System32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=CF7AD4F94EDA214BD5283CB8AD57DB52D2D558FCŸR ‰•íYŸbÀC:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"\Sys0**Ø/²¡ÖÍÍKÓ  ?Õ,&  0H¥!€éEóËÍKÓ„Ø/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.@2017-10-23 07:08:58.590ŸR ‰•íYŸbÀC:\Windows\System32\eventvwr.exe8Ø**Ø0«KÎÍKÓ  ?Õ,&  0H£!€²¡ÖÍÍKÓ„Ø0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:09:01.761ŸR ˆ•íYŸ•b|C:\Windows\System32\dllhost.exeäØ**Ø1~<óòÍKÓ  ?Õ,&  0H£!€«KÎÍKÓ„Ø1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:09:02.200ŸR ‰•íYƒœb8C:\Windows\System32\dllhost.exe ÀØ**À2:”ÿ"ÎKÓ  ?Õ,&  0H‹!€~<óòÍKÓ„T2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6  2017-10-23 07:10:02.101ŸR –«Yn‰ÄC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇ111.221.29.254»httpsF1À**Ð3~«<ÎKÓ  ?Õ,&  0H›!€:”ÿ"ÎKÓ„Ø3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.62017-10-23 07:11:24.621ŸR ‰•íY¼ÀbÜC:\Windows\System32\mmc.exeÐ**4¬Õ<ÎKÓ  ?Õ,&  0H[!€~«<ÎKÓ„Ø4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.ö2017-10-23 07:12:07.700ŸR ¿‘íYÉ{;xC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exeem**ð5‡‰XÎKÓ  ?Õ,&  0H·!€¬Õ<ÎKÓ„Ø5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.R2017-10-23 07:12:07.981ŸR º‘íYöw;4C:\Windows\servicing\TrustedInstaller.exendowð**Ø6ð¶.YÎKÓ  ?Õ,&  0H£!€‡‰XÎKÓ„Ø6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.>2017-10-23 07:12:54.449ŸR ª”íY èX„C:\Windows\System32\notepad.exe20Ø** 7ûŸYÎKÓ  ?Õ,&  0Hi!€ð¶.YÎKÓ„Ø7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.B(,Z>T2017-10-23 07:12:55.539ŸR w–íYâôj¸C:\Windows\System32\taskhostw.exetaskhostw.exeC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=11EE71F4EA933B8F2861AD33A368E2779F7FEBBDŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs23  **È8‡‚­[ÎKÓ  ?Õ,&  0H“!€ûŸYÎKÓ„Ø8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.>\(& Z@@2017-10-23 07:12:56.262ŸR x–íYkÈC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exeilÈ**À9*·M\ÎKÓ  ?Õ,&  0H!€‡‚­[ÎKÓ„T9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.B,  6 2017-10-23 07:12:57.535ŸR w–íYâôj¸C:\Windows\System32\taskhostw.exeDESKTOP-DF4ULDE\MNWPROtcp192.168.62.128DESKTOP-DF4ULDE.localdomain€Ç13.107.4.52PhttpÀ**À:ËÀª^ÎKÓ  ?Õ,&  0H‹!€*·M\ÎKÓ„T:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6  2017-10-23 07:12:58.575ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇ131.253.61.100»httpsalÀ**È;‚\fÎKÓ  ?Õ,&  0H‘!€ËÀª^ÎKÓ„T;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.B,  6  2017-10-23 07:13:02.888ŸR w–íYâôj¸C:\Windows\System32\taskhostw.exeDESKTOP-DF4ULDE\MNWPROtcp192.168.62.128DESKTOP-DF4ULDE.localdomain‚Ç40.77.228.92»https23 È**ø<N\fÎKÓ  ?Õ,&  0HÃ!€‚\fÎKÓ„T<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>8  :6 $ 2017-10-23 07:13:15.619ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfe80:0:0:0:252c:71a:8319:6430DESKTOP-DF4ULDE.localdomainÔff02:0:0:0:0:0:1:3ëllmnrø**Ð=sïgÎKÓ  ?Õ,&  0H—!€N\fÎKÓ„T=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>8  B & 2017-10-23 07:13:15.619ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpc0a8:3e80:0:0:28c1:ab7b:8f86:ffffÔe000:fc:0:0:0:0:0:0ëllmnr0D95Ð**°>òïgÎKÓ  ?Õ,&  0Hw!€sïgÎKÓ„T>Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>4   2017-10-23 07:13:18.229ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp127.0.0.1DESKTOP-DF4ULDEûÉ239.255.255.250lssdp**°**°?b-ÎKÓ  ?Õ,&  0Hw!€òïgÎKÓ„T?Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>4   2017-10-23 07:13:18.229ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp239.255.255.250lssdp127.0.0.1DESKTOP-DF4ULDEûÉ.000°**Ð@ÖFÄÎKÓ  ?Õ,&  0H!€b-ÎKÓ„Ø@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.RR(& Z@@2017-10-23 07:13:59.153ŸR ·–íY†Êk€C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=AA1D92CB47CE65E2D4D476560D6F0F452C530295ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe.Ð**HAFÜÎKÓ  ?Õ,&  0H!€ÖFÄÎKÓ„ØAMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.ö (& Z>Z2017-10-23 07:14:00.271ŸR ¸–íY²Ïk,C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=C7373181F4DF4FD8A5123B35F7A903327F6F2E36ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchSyH**˜B]¦šÎKÓ  ?Õ,&  0H_!€FÜÎKÓ„ØBMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.~„b& Z>l2017-10-23 07:14:27.621ŸR Ó–íYÐlì C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=1AF0E4B80BF4028F8DAC56EBF186B392E4E72486ŸR a’íYöPG,C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServerdows˜**xC¹¢Œ‘ÎKÓ  ?Õ,&  0H?!€]¦šÎKÓ„ØCMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.B6t& Z~„2017-10-23 07:14:28.245ŸR Ô–íY¾l8 C:\Windows\System32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe /stub 1.1.14146.0 /payload 2.1.14202.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exeC:\Windows\Temp\7A49F0BF-4136-4B26-B7C4-2DB8873CE22A-Sigs\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=5B205FC1A25354726677A30B25D8E41B3EF69D84ŸR Ó–íYÐlì C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exe" x**˜D)5'’ÎKÓ  ?Õ,&  0H_!€¹¢Œ‘ÎKÓ„ØDMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü³Ìétlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .B¬..2017-10-23 07:14:30.106ŸR Ô–íY¾l8 C:\Windows\system32\MpSigStub.exeC:\Windows\Temp\D6AFD2F8-9286-46F9-BA66-56206BF7CE23c38.1d34bce906fa9db\GapaEngine.dll2017-09-28 18:47:10.0002017-10-23 07:14:30.106ost.˜**E×å…’ÎKÓ  ?Õ,&  0Hã!€)5'’ÎKÓ„ØEMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.~2017-10-23 07:14:31.122ŸR Ó–íYÐlì C:\Windows\SoftwareDistribution\Download\Install\NIS_Engine.exeWi**FNm·’ÎKÓ  ?Õ,&  0HW!€×å…’ÎKÓ„ØFMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx›.z€b& Z>l2017-10-23 07:14:31.723ŸR ×–íY^lèC:\Windows\SoftwareDistribution\Download\Install\NIS_Base.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Base.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=A344B6ABADF0D621EA102376E0F5866A59778957ŸR a’íYöPG,C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServer-23 **èGð™»’ÎKÓ  ?Õ,&  0Hµ!€Nm·’ÎKÓ„ØGMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü³Ì.B¦..2017-10-23 07:14:32.043ŸR Ô–íY¾l8 C:\Windows\system32\MpSigStub.exeC:\Windows\Temp\D6AFD2F8-9286-46F9-BA66-56206BF7CE23c38.1d34bce906fa9db\NISbase.vdm2017-09-28 18:49:30.0002017-10-23 07:14:32.043è**H\::”ÎKÓ  ?Õ,&  0Hß!€ð™»’ÎKÓ„ØHMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«!.z2017-10-23 07:14:32.090ŸR ×–íY^lèC:\Windows\SoftwareDistribution\Download\Install\NIS_Base.exe\MNW**øI;:”ÎKÓ  ?Õ,&  0HÁ!€\::”ÎKÓ„TIMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>8  B N 2017-10-23 07:14:32.423ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpc0a8:3e80:0:0:28c1:ab7b:8f86:ffffÝïc0a8:3e02:7524:d301:60af:c715:7524:d3015domainpW*Âàø**ÐJš;:”ÎKÓ  ?Õ,&  0H›!€;:”ÎKÓ„TJMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>8  6  2017-10-23 07:14:32.428ŸR –«Yõ àC:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudp192.168.62.128DESKTOP-DF4ULDE.localdomainÝï192.168.62.25domainC:Ð**(K'<:”ÎKÓ  ?Õ,&  0Hó!€š;:”ÎKÓ„TKMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 h 2017-10-23 07:14:32.509ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainƒÇ23.217.143.123a23-217-143-123.deploy.static.akamaitechnologies.com»https(**ÀL†<:”ÎKÓ  ?Õ,&  0H‹!€'<:”ÎKÓ„TLMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6  2017-10-23 07:14:32.882ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain„Ç111.221.29.238»httpsÀ**(M„4s—ÎKÓ  ?Õ,&  0Hó!€†<:”ÎKÓ„TMMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 h 2017-10-23 07:14:33.195ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain…Ç104.118.70.115a104-118-70-115.deploy.static.akamaitechnologies.com»httpsxe(**(NLÑì—ÎKÓ  ?Õ,&  0Hï!€„4s—ÎKÓ„TNMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 f 2017-10-23 07:14:37.939ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain†Ç104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»https4+J(**¸O¾Òì—ÎKÓ  ?Õ,&  0H…!€LÑì—ÎKÓ„TOMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:38.809ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain‡Ç218.76.79.32PhttpG¸**ÀP(Óì—ÎKÓ  ?Õ,&  0H‡!€¾Òì—ÎKÓ„TPMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:38.902ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain‰Ç218.76.79.153Phttpÿ%8À**(Q¸N‘˜ÎKÓ  ?Õ,&  0Hï!€(Óì—ÎKÓ„TQMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 f 2017-10-23 07:14:39.000ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainˆÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»httpsionP(**(R q3™ÎKÓ  ?Õ,&  0Hï!€¸N‘˜ÎKÓ„TRMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 f 2017-10-23 07:14:39.941ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainŠÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»https 2(**¸Sºq3™ÎKÓ  ?Õ,&  0H…!€ q3™ÎKÓ„TSMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:40.811ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainŒÇ218.76.79.32Phttp¸**ÀT.r3™ÎKÓ  ?Õ,&  0H‡!€ºq3™ÎKÓ„TTMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:40.890ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇ218.76.79.154Phttp cÀò.>4  ?Õ,&  0:15.€.r3™ÎKÓ„TUMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙLOCAL SERVICEudp ElfChnkUªUª€°û˜ÿbýײž›-óè8=Î÷²›f?øm©MFº“ø&kÔcá{Ü**° U‘r3™ÎKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0HÉ!€.r3™ÎKÓ„TUMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oécß#O*ú6†öE6^OÊ^Âÿÿ¶D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .>&  6 f 2017-10-23 07:14:40.973ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain‹Ç104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»httpsw!° **(VJ§Ü™ÎKÓ  ?Õ,&  0Hï!€‘r3™ÎKÓ„TVMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 f 2017-10-23 07:14:41.733ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainŽÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»httpsMicr(**¸W¨Ü™ÎKÓ  ?Õ,&  0H…!€J§Ü™ÎKÓ„TWMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:42.713ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇ218.76.79.32Phttpr¸**¸XŽSVšÎKÓ  ?Õ,&  0H…!€¨Ü™ÎKÓ„TXMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:42.786ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain‘Ç218.76.79.24Phttp¸**(YÎÄúšÎKÓ  ?Õ,&  0Hï!€ŽSVšÎKÓ„TYMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 f 2017-10-23 07:14:42.884ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»httpss-Sy(** Z뜛ÎKÓ  ?Õ,&  0Hë!€ÎÄúšÎKÓ„TZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 d 2017-10-23 07:14:44.022ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain’Ç104.120.8.79a104-120-8-79.deploy.static.akamaitechnologies.com»https **À[—뜛ÎKÓ  ?Õ,&  0H‡!€뜛ÎKÓ„T[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:45.045ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain“Ç116.211.79.15Phttp\v1.À** \½í=œÎKÓ  ?Õ,&  0Hç!€—뜛ÎKÓ„T\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 b 2017-10-23 07:14:45.184ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain”Ç104.76.0.64a104-76-0-64.deploy.static.akamaitechnologies.com»httpsÿ!8 ** ]mî=œÎKÓ  ?Õ,&  0Hë!€½í=œÎKÓ„T]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 d 2017-10-23 07:14:46.260ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain•Ç104.120.8.79a104-120-8-79.deploy.static.akamaitechnologies.com»https0 **À^Þî=œÎKÓ  ?Õ,&  0H‡!€mî=œÎKÓ„T^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:46.792ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain–Ç116.211.79.15PhttpÀ** _¡|ÎKÓ  ?Õ,&  0Hç!€Þî=œÎKÓ„T_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 b 2017-10-23 07:14:46.930ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain—Ç104.76.0.64a104-76-0-64.deploy.static.akamaitechnologies.com»httpsosof **À`2 |ÎKÓ  ?Õ,&  0H‰!€¡|ÎKÓ„T`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.211ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain˜Ç220.202.77.125PhttpWinÀ**Àaƒ |ÎKÓ  ?Õ,&  0H‰!€2 |ÎKÓ„TaMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.221ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain™Ç220.202.77.116PhttpiseÀ**Àb |ÎKÓ  ?Õ,&  0H‡!€ƒ |ÎKÓ„TbMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.560ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainšÇ61.163.111.70Phttp_8pW*ÂàÀ**Àcþ |ÎKÓ  ?Õ,&  0H‰!€Â |ÎKÓ„TcMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.587ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain›Ç220.202.77.124Phttp2ŸRÀ**Àd:!|ÎKÓ  ?Õ,&  0H‰!€þ |ÎKÓ„TdMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.679ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainœÇ220.202.77.124PhttpowsÀ**Àev!|ÎKÓ  ?Õ,&  0H‡!€:!|ÎKÓ„TeMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.690ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇ61.163.111.70PhttpÀ**Àf¶!|ÎKÓ  ?Õ,&  0H‡!€v!|ÎKÓ„TfMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.695ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainžÇ125.46.22.129Phttp¼ ™À**Àgî!|ÎKÓ  ?Õ,&  0H‰!€¶!|ÎKÓ„TgMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.695ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainŸÇ220.202.77.125PhttplobÀ**Àh."|ÎKÓ  ?Õ,&  0H‰!€î!|ÎKÓ„ThMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.699ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain Ç220.202.77.116Phttp„À**Àii"|ÎKÓ  ?Õ,&  0H‡!€."|ÎKÓ„TiMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.719ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¡Ç61.163.111.69PhttpÀ**Àj¢"|ÎKÓ  ?Õ,&  0H‰!€i"|ÎKÓ„TjMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.811ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain£Ç220.202.77.116Phttp17.À**ÀkÚ"|ÎKÓ  ?Õ,&  0H‡!€¢"|ÎKÓ„TkMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.815ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¢Ç125.46.22.129Phttps-SyÀ**Àl#|ÎKÓ  ?Õ,&  0H‰!€Ú"|ÎKÓ„TlMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.857ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¥Ç220.202.77.124PhttpstaÀ**ÀmH#|ÎKÓ  ?Õ,&  0H‡!€#|ÎKÓ„TmMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.857ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¨Ç125.46.22.129PhttpKÓÀ**Àn€#|ÎKÓ  ?Õ,&  0H‰!€H#|ÎKÓ„TnMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.857ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain§Ç220.202.77.125PhttpA1=À**Àoµ#|ÎKÓ  ?Õ,&  0H‰!€€#|ÎKÓ„ToMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.857ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain©Ç220.202.77.116Phttp׉XÀ**Àpø#|ÎKÓ  ?Õ,&  0H‰!€µ#|ÎKÓ„TpMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.860ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain­Ç220.202.77.124PhttpÀ**Àq7$|ÎKÓ  ?Õ,&  0H‰!€ø#|ÎKÓ„TqMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.860ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainªÇ220.202.77.124Phttp ÀÀ**Àrp$|ÎKÓ  ?Õ,&  0H‡!€7$|ÎKÓ„TrMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.860ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¯Ç125.46.22.129Phttp2\svÀ**Às¥$|ÎKÓ  ?Õ,&  0H‰!€p$|ÎKÓ„TsMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.864ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¶Ç220.202.77.116PhttpicrÀ**ÀtÝ$|ÎKÓ  ?Õ,&  0H‰!€¥$|ÎKÓ„TtMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.864ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain°Ç220.202.77.125Phttp:\WÀ**Àu%|ÎKÓ  ?Õ,&  0H‰!€Ý$|ÎKÓ„TuMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.865ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain²Ç220.202.77.124PhttpÀ**ÀvG%|ÎKÓ  ?Õ,&  0H‰!€%|ÎKÓ„TvMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¸Ç220.202.77.124PhttpatiÀ**Àw|%|ÎKÓ  ?Õ,&  0H‡!€G%|ÎKÓ„TwMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainµÇ125.46.22.129Phttp\sysÀ**Àx´%|ÎKÓ  ?Õ,&  0H‰!€|%|ÎKÓ„TxMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain´Ç220.202.77.125PhttpÀ**Àyé%|ÎKÓ  ?Õ,&  0H‡!€´%|ÎKÓ„TyMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain±Ç61.163.111.69Phttp C–«YÀ**Àz%&|ÎKÓ  ?Õ,&  0H‡!€é%|ÎKÓ„TzMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain«Ç61.163.111.69Phttpwr.eÀ**À{e&|ÎKÓ  ?Õ,&  0H‡!€%&|ÎKÓ„T{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¤Ç61.163.111.69PhttpSÀ**À|¹&|ÎKÓ  ?Õ,&  0H‡!€e&|ÎKÓ„T|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¦Ç61.163.111.70Phttp.640À**À}î&|ÎKÓ  ?Õ,&  0H‡!€¹&|ÎKÓ„T}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¹Ç61.163.111.70PhttpÀ**À~5'|ÎKÓ  ?Õ,&  0H‰!€î&|ÎKÓ„T~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain»Ç220.202.77.125PhttpnalÀ**Àx'|ÎKÓ  ?Õ,&  0H‡!€5'|ÎKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainºÇ125.46.22.129Phttp32\sÀ**À€»'|ÎKÓ  ?Õ,&  0H‡!€x'|ÎKÓ„T€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain®Ç61.163.111.70Phttpevt\À**Àï'|ÎKÓ  ?Õ,&  0H‰!€»'|ÎKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.867ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¼Ç220.202.77.116PhttpmonÀ**À‚((|ÎKÓ  ?Õ,&  0H‡!€ï'|ÎKÓ„T‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.869ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¬Ç61.163.111.70PhttpD57DÀ**Àƒ](|ÎKÓ  ?Õ,&  0H‰!€((|ÎKÓ„TƒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.869ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¾Ç220.202.77.124Phttp23 À**À„•(|ÎKÓ  ?Õ,&  0H‰!€](|ÎKÓ„T„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÉÇ220.202.77.116Phttp!À**À…Ê(|ÎKÓ  ?Õ,&  0H‡!€•(|ÎKÓ„T…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÀÇ125.46.22.129Phttp À**À†)|ÎKÓ  ?Õ,&  0H‰!€Ê(|ÎKÓ„T†Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÁÇ220.202.77.125Phttp-10À**À‡7)|ÎKÓ  ?Õ,&  0H‰!€)|ÎKÓ„T‡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÎÇ220.202.77.125Phttpne_À**Àˆl)|ÎKÓ  ?Õ,&  0H‰!€7)|ÎKÓ„TˆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÈÇ220.202.77.125Phttp„À**À‰¡)|ÎKÓ  ?Õ,&  0H‰!€l)|ÎKÓ„T‰Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainËÇ220.202.77.124PhttpÀ**ÀŠÖ)|ÎKÓ  ?Õ,&  0H‰!€¡)|ÎKÓ„TŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÏÇ220.202.77.116Phttp8À**À‹ *|ÎKÓ  ?Õ,&  0H‡!€Ö)|ÎKÓ„T‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÇÇ125.46.22.129Phttpows\À**ÀŒ@*|ÎKÓ  ?Õ,&  0H‡!€ *|ÎKÓ„TŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain·Ç61.163.111.69Phttp2.16À**Àu*|ÎKÓ  ?Õ,&  0H‡!€@*|ÎKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÍÇ125.46.22.129Phttp.62.À**ÀŽª*|ÎKÓ  ?Õ,&  0H‡!€u*|ÎKÓ„TŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.873ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÄÇ125.46.22.129Phttp2.16À**Àâ*|ÎKÓ  ?Õ,&  0H‰!€ª*|ÎKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.875ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÅÇ220.202.77.124PhttppÀ**À+|ÎKÓ  ?Õ,&  0H‡!€â*|ÎKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.875ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain³Ç61.163.111.70PhttpT AUÀ**À‘L+|ÎKÓ  ?Õ,&  0H‡!€+|ÎKÓ„T‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.875ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÐÇ61.163.111.69Phttpost.À**À’+|ÎKÓ  ?Õ,&  0H‰!€L+|ÎKÓ„T’Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.875ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÓÇ220.202.77.125Phttp AUÀ**À“¶+|ÎKÓ  ?Õ,&  0H‰!€+|ÎKÓ„T“Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.879ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÑÇ220.202.77.124Phttp\WiÀ**À”ë+|ÎKÓ  ?Õ,&  0H‡!€¶+|ÎKÓ„T”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.880ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain¿Ç61.163.111.70Phttps-SyÀ**À•#,|ÎKÓ  ?Õ,&  0H‡!€ë+|ÎKÓ„T•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.880ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÒÇ61.163.111.69Phttp:\WiÀ**À–X,|ÎKÓ  ?Õ,&  0H‡!€#,|ÎKÓ„T–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.880ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÌÇ61.163.111.70Phttp.À**À—,|ÎKÓ  ?Õ,&  0H‡!€X,|ÎKÓ„T—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.883ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÊÇ61.163.111.69Phttptem3À**À˜Â,|ÎKÓ  ?Õ,&  0H‡!€,|ÎKÓ„T˜Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.887ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÂÇ61.163.111.70Phttp32\MÀ**À™ú,|ÎKÓ  ?Õ,&  0H‡!€Â,|ÎKÓ„T™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.887ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÆÇ61.163.111.70Phttpe"C:À**Àš/-|ÎKÓ  ?Õ,&  0H‡!€ú,|ÎKÓ„TšMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:47.887ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÃÇ61.163.111.69PhttpTÀ**À›˜ÖõÎKÓ  ?Õ,&  0H‡!€/-|ÎKÓ„T›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 2017-10-23 07:14:48.042ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain½Ç61.163.111.69Phttp À**ÀœAƒŽžÎKÓ  ?Õ,&  0H‹!€˜ÖõÎKÓ„TœMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6  2017-10-23 07:14:49.203ŸR –«Yn‰ÄC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÔÇ111.221.29.254»httpsowÀ**Z,¬žÎKÓ  ?Õ,&  0HÝ!€AƒŽžÎKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxkÔÀ5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .ˆŽb& Z>l2017-10-23 07:14:51.930ŸR ë–íY¸l C:\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exe"C:\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exe" C:\Windows\SoftwareDistribution\Download\Install\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=1258097E3A81F4FEFE035C1FDED98204E1797812ŸR a’íYöPG,C:\Windows\System32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /RunHandlerComServern**èž.unŸÎKÓ  ?Õ,&  0H³!€Z,¬žÎKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü{Üétlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .B..2017-10-23 07:14:52.122ŸR Ô–íY¾l8 C:\Windows\system32\MpSigStub.exeC:\Windows\Temp\D6AFD2F8-9286-46F9-BA66-56206BF7CE23c38.1d34bce906fa9db\118.0.0.0_to_118.0.0.0_NISfull.vdm_source_NISbase.vdm._p2017-09-28 18:53:34.0002017-10-23 07:14:52.122 è**ÀŸc.oŸÎKÓ  ?Õ,&  0H‰!€.unŸÎKÓ„ØŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .B2017-10-23 07:14:53.387ŸR Ô–íY¾l8 C:\Windows\System32\MpSigStub.exe6À**  )ÇŽ¡ÎKÓ  ?Õ,&  0Hí!€c.oŸÎKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá.ˆ2017-10-23 07:14:53.403ŸR ë–íY¸l C:\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exe **Ø¡Gpš¡ÎKÓ  ?Õ,&  0H£!€)ÇŽ¡ÎKÓ„Ø¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá.>2017-10-23 07:14:56.965ŸR a’íYöPG,C:\Windows\System32\wuauclt.exeØ**ø¢`6¥¡ÎKÓ  ?Õ,&  0HÁ!€Gpš¡ÎKÓ„Ø¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá.\2017-10-23 07:14:57.043ŸR Ù‘íYÄ;üC:\Program Files\Windows Defender\MpCmdRun.exeø**Ø£9;¥¡ÎKÓ  ?Õ,&  0H£!€`6¥¡ÎKÓ„Ø£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá.>2017-10-23 07:14:57.106ŸR Ù‘íYæÄ;C:\Windows\System32\conhost.exeØ**ø¤þŽ»¡ÎKÓ  ?Õ,&  0HÁ!€9;¥¡ÎKӄؤMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá.\2017-10-23 07:14:57.106ŸR Ù‘íYQÁ;ôC:\Program Files\Windows Defender\MpCmdRun.exeHORø**Ø¥X¥Ô¢ÎKÓ  ?Õ,&  0H£!€þŽ»¡ÎKÓ„Ø¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åcá.>2017-10-23 07:14:57.262ŸR x–íYkÈC:\Windows\System32\svchost.exeowØ**À¦78 £ÎKÓ  ?Õ,&  0H‹!€X¥Ô¢ÎKÓ„T¦Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6  2017-10-23 07:14:57.961ŸR –«Yn‰ÄC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÕÇ111.221.29.254»httpsSyÀ**ð§eõ5¥ÎKÓ  ?Õ,&  0H·!€78 £ÎKӄاMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü{Ü.>¬..2017-10-23 07:14:59.590ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\6ebbaab48a77a481a3e3dc349e6b7002\BlockMap.xml2012-12-31 08:00:00.0002017-10-23 07:14:59.559t-Wið**(¨V¨ÎKÓ  ?Õ,&  0Hï!€eõ5¥ÎKÓ„T¨Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oé.>&  6 f 2017-10-23 07:15:01.429ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÖÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»httpst-Wi(**X©° $¨ÎKÓ  ?Õ,&  0H#!€V¨ÎKÓ„H©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ].,Γø].,ήÄÃÜνŠÀïiQÙ2ÿÿ&Aÿÿ%8=UtcTime Aÿÿ-8= ImageLoaded Aÿÿ#8=Hashes Aÿÿ#8=Signed Aÿÿ)8= Signature Aÿÿ58'=SignatureStatus .êZ* 2017-10-23 07:15:07.793C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F34E2D8F-0005-4ACE-9632-2A3DB1E2BC40}\MpKslcb91f898.sysSHA1=38310AD6805DC31D5AA61BE182689D63060ACE94trueMicrosoft CorporationValidtcX**誱¢©ÎKÓ  ?Õ,&  0H³!€° $¨ÎKӄتMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxkÔ.>D(& ZZ^2017-10-23 07:15:08.013ŸR ü–íYõ nÀC:\Windows\System32\svchost.exe"c:\windows\system32\\svchost.exe"C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«Y’¬C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"èMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙLOCAL SERVICEudp ElfChnk«ù«ù€ýèþ·¦n>ªeªóè8=Î÷²›f?øm©MFº&+é**˜«±o«ÎKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H³!€±¢©ÎKÓ„Ø«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé¢å _Ö¡`Ÿ(À›AøÿÿìD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-10-23 07:15:10.513ŸR ü–íYõ nÀC:\Windows\System32\svchost.exe S˜**X¬Ô4&­ÎKÓ  ?Õ,&  0H!€±o«ÎKÓ„T¬Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ cß#O*ú6†öE6^OÊ^”ÿÿˆAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName . &  6 2017-10-23 07:15:12.494ŸR ä•«YëSystemNT AUTHORITY\SYSTEMudp192.168.62.128DESKTOP-DF4ULDE.localdomain‰netbios-ns192.168.62.2‰netbios-ns192X**­l®ÎKÓ  ?Õ,&  0HW!€Ô4&­ÎKÓ„Ø­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+À5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .r (, Z..2017-10-23 07:15:16.382ŸR —íY™o`C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools'C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=F31C17E0453F27BE85730E316840F11522DDEC3EŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXE c**`® ίÎKÓ  ?Õ,&  0H)!€l®ÎKÓ„Ø®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>n, Zr 2017-10-23 07:15:18.547ŸR —íY1¢ox C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR —íY™o`C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\tool-test\tools'4UL`**௽bÉÎKÓ  ?Õ,&  0H­!€ ίÎKӄدMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüÓ tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .rÊ..2017-10-23 07:15:19.638ŸR —íY™o`C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1JWWYBJDWEE69SRQBX64.temp2017-09-03 11:07:06.6582017-10-23 07:15:19.621à**ð°–rÉÎKÓ  ?Õ,&  0H·!€½bÉÎKÓ„Ø°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.R2017-10-23 07:16:03.778ŸR ·–íY†Êk€C:\Windows\servicing\TrustedInstaller.exeð**±~]ÕÏÎKÓ  ?Õ,&  0H[!€–rÉÎKӄرMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.ö2017-10-23 07:16:03.887ŸR ¸–íY²Ïk,C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.410_none_9e914f9d2d85dacb\TiWorker.exelo**À²$^ÕÏÎKÓ  ?Õ,&  0H‹!€~]ÕÏÎKÓ„T²Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:12.508ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomain×Ç116.211.248.135PhttpULÀ**À³V)_ÒÎKÓ  ?Õ,&  0H‡!€$^ÕÏÎKÓ„T³Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:12.513ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainØÇ219.138.28.40PhttpF4ULÀ**(´ñjÓÎKÓ  ?Õ,&  0Hñ!€V)_ÒÎKÓ„Ø´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(& Z>Z2017-10-23 07:16:18.852ŸR B—íYè.sX C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchsof(**øµáÈ ÔÎKÓ  ?Õ,&  0HÃ!€ñjÓÎKÓ„TµMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 : 2017-10-23 07:16:19.378ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÙÇ111.221.29.40gap-prime-finance.msn-int.com»httpscrø**À¶‘É ÔÎKÓ  ?Õ,&  0H‰!€áÈ ÔÎKÓ„T¶Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:20.056ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÛÇ123.53.139.217PhttpicrÀ**À·ûÉ ÔÎKÓ  ?Õ,&  0H‰!€‘É ÔÎKÓ„T·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:20.061ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÚÇ111.178.234.59PhttpicrÀ**À¸5°ÔÎKÓ  ?Õ,&  0H‰!€ûÉ ÔÎKÓ„T¸Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:20.175ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÜÇ123.161.56.131PhttpicrÀ**ð¹8ÞGÕÎKÓ  ?Õ,&  0H·!€5°ÔÎKӄعMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü.>¬..2017-10-23 07:16:22.731ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\6c94699609ce39feff1076bfb74e6d85\BlockMap.xml2012-12-31 08:00:00.0002017-10-23 07:16:22.559/Opeð**øº—gRÕÎKÓ  ?Õ,&  0HÃ!€8ÞGÕÎKÓ„TºMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 : 2017-10-23 07:16:22.126ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÝÇ111.221.29.40gap-prime-finance.msn-int.com»httpsø**ð»t¹rÕÎKÓ  ?Õ,&  0H·!€—gRÕÎKÓ„Ø»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü.>¬..2017-10-23 07:16:23.809ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\6c94699609ce39feff1076bfb74e6d85\BlockMap.xml2012-12-31 08:00:00.0002012-12-31 08:00:00.0002ð**À¼%ŒÖÎKÓ  ?Õ,&  0H‰!€t¹rÕÎKÓ„T¼Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:22.779ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainÞÇ111.178.234.59Phttp2À**(½ÐË?×ÎKÓ  ?Õ,&  0Hï!€%ŒÖÎKÓ„T½Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 f 2017-10-23 07:16:24.605ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainßÇ23.206.234.83a23-206-234-83.deploy.static.akamaitechnologies.com»httpsm32\(**ؾ V×ÎKÓ  ?Õ,&  0H£!€ÐË?×ÎKӄؾMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:16:27.044ŸR B—íYè.sX C:\Windows\System32\dllhost.exeowØ**ð¿‹(ØÎKÓ  ?Õ,&  0H·!€ V×ÎKÓ„Ø¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü.>¬..2017-10-23 07:16:27.184ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\b3c5576a728f0d27ace1f53678ee010b\BlockMap.xml2012-12-31 08:00:00.0002017-10-23 07:16:26.950 cð**ðÀÖØÎKÓ  ?Õ,&  0H·!€‹(ØÎKÓ„ØÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü.>¬..2017-10-23 07:16:28.466ŸR –«Y³ûôC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\Download\b3c5576a728f0d27ace1f53678ee010b\BlockMap.xml2012-12-31 08:00:00.0002012-12-31 08:00:00.000 6ð**(Á ×‹ÙÎKÓ  ?Õ,&  0Hñ!€ÖØÎKÓ„ØÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(& Z>Z2017-10-23 07:16:29.711ŸR M—íY Vt C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLauncho(**ÀÂIØ‹ÙÎKÓ  ?Õ,&  0H‰!€ ×‹ÙÎKÓ„TÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:28.957ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainàÇ111.178.234.59PhttppÀ**ÀÃKmÛÎKÓ  ?Õ,&  0H‰!€IØ‹ÙÎKÓ„TÃMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:28.957ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomaináÇ111.178.234.59PhttpqÀ**øÄ}…âÛÎKÓ  ?Õ,&  0HÃ!€KmÛÎKÓ„TÄMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 : 2017-10-23 07:16:32.928ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainâÇ111.221.29.40gap-prime-finance.msn-int.com»httpsø**ØÅA˜äÛÎKÓ  ?Õ,&  0H£!€}…âÛÎKÓ„ØÅMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:16:34.825ŸR M—íY Vt C:\Windows\System32\dllhost.exeY\Ø**ÀÆù˜äÛÎKÓ  ?Õ,&  0H‰!€A˜äÛÎKÓ„TÆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:33.605ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainãÇ123.161.56.131PhttpTY\À**ÀÇÌÝeÞÎKÓ  ?Õ,&  0H‰!€ù˜äÛÎKÓ„TÇMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:33.608ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainäÇ111.178.233.84PhttpTY\À**(È{òáÎKÓ  ?Õ,&  0Hï!€ÌÝeÞÎKÓ„TÈMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 f 2017-10-23 07:16:37.729ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainåÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»httpsdoma(**(ÉæçâÎKÓ  ?Õ,&  0Hï!€{òáÎKÓ„TÉMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 f 2017-10-23 07:16:43.291ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainæÇ104.95.215.87a104-95-215-87.deploy.static.akamaitechnologies.com»https(**ÀÊ¡[æÎKÓ  ?Õ,&  0H‰!€æçâÎKÓ„TÊMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>&  6 2017-10-23 07:16:44.052ŸR –«Y³ûôC:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcp192.168.62.128DESKTOP-DF4ULDE.localdomainçÇ123.53.139.217PhttpÀ**Ë˳æÎKÓ  ?Õ,&  0Hã!€¡[æÎKÓ„ØËMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.Tl(& ZJ`2017-10-23 07:16:52.388ŸR d—íY@³vpC:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe26_ Global\UsGthrCtrlFltPipeMssGthrPipe26 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embeddingow**0Ìå6ÏKÓ  ?Õ,&  0H÷!€Ë³æÎKÓ„ØÌMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.P„(& ZJ`2017-10-23 07:16:52.968ŸR d—íYÖºvÌC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embeddingp0**(͇å6ÏKÓ  ?Õ,&  0Hó!€å6ÏKÓ„TÍMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>,  6 f2017-10-23 07:17:33.743ŸR L–«Yp¾C:\Windows\System32\svchost.exeDESKTOP-DF4ULDE\MNWPROtcp192.168.62.128DESKTOP-DF4ULDE.localdomainèÇ104.95.200.78a104-95-200-78.deploy.static.akamaitechnologies.comPhttp3.(**(ÎæŠfÏKÓ  ?Õ,&  0Hñ!€‡å6ÏKÓ„TÎMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>,  6 d 2017-10-23 07:17:33.769ŸR L–«Yp¾C:\Windows\System32\svchost.exeDESKTOP-DF4ULDE\MNWPROtcp192.168.62.128DESKTOP-DF4ULDE.localdomainéÇ23.41.177.88a23-41-177-88.deploy.static.akamaitechnologies.com»https(**ÏØDiÏKÓ  ?Õ,&  0H×!€æŠfÏKÓ„ØÏMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.r2017-10-23 07:17:42.778ŸR —íY™o`C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe128D**ØÐ÷s¦ÏKÓ  ?Õ,&  0H£!€ØDiÏKÓ„ØÐMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:17:42.794ŸR —íY1¢ox C:\Windows\System32\conhost.exeØ**˜Ñ2CXÏKÓ  ?Õ,&  0Ha!€÷s¦ÏKÓ„ØÑMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.x¨(& Zbf2017-10-23 07:17:48.244ŸR œ—íY›x€ C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"€»'|˜**ÒS7ÏKÓ  ?Õ,&  0HÝ!€2CXÏKÓ„ØÒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.x2017-10-23 07:17:49.404ŸR œ—íY›x€ C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe0**ðÓ{8ÏKÓ  ?Õ,&  0H¹!€S7ÏKÓ„ØÓMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.T2017-10-23 07:18:09.325ŸR d—íY@³vpC:\Windows\System32\SearchProtocolHost.exeôð**èÔ‚,ÏKÓ  ?Õ,&  0Hµ!€{8ÏKÓ„ØÔMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.P2017-10-23 07:18:09.325ŸR d—íYÖºvÌC:\Windows\System32\SearchFilterHost.exerè**Õ„æqYÏKÓ  ?Õ,&  0HÓ!€‚,ÏKÓ„TÕMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>4  < $2017-10-23 07:18:47.356ŸR –«Y… ˆC:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfe80:0:0:0:2076:3774:3f57:c17fDESKTOP-DF4ULDE"dhcpv6-clientff02:0:0:0:0:0:1:2#dhcpv6-server c**ÐÖÓéqYÏKÓ  ?Õ,&  0H™!€„æqYÏKÓ„TÖMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>4   2017-10-23 07:20:04.369ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp0:0:0:0:0:0:0:1DESKTOP-DF4ULDE4à0:0:0:0:0:0:0:1DESKTOP-DF4ULDE4à.Ð**Ðׇ-¾YÏKÓ  ?Õ,&  0H™!€ÓéqYÏKÓ„T×Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>4   2017-10-23 07:20:04.369ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp0:0:0:0:0:0:0:1DESKTOP-DF4ULDEùÉ0:0:0:0:0:0:0:1DESKTOP-DF4ULDEùÉ&Ð**°Ø‚ðûeÏKÓ  ?Õ,&  0Hw!€‡-¾YÏKÓ„TØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ .>4   2017-10-23 07:20:04.590ŸR –«Y–) C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudp239.255.255.250lssdp127.0.0.1DESKTOP-DF4ULDE5à.°**ÙL vÏKÓ  ?Õ,&  0HÍ!€‚ðûeÏKÓ„ØÙMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü.bž..2017-10-23 07:20:26.513ŸR ‡–«Y#ŽC:\Program Files\VMware\VMware Tools\vmtoolsd.exeC:\Users\MNWPRO\AppData\Local\Temp\vmware-MNWPRO\VMwareDnD\882c9f80\ToHanJY.zip2017-10-13 15:49:44.3592017-10-23 07:20:21.6542**Ú‡mwvÏKÓ  ?Õ,&  0HW!€L vÏKÓ„ØÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü..\..2017-10-23 07:20:53.575ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\ToHanJY\ToHanJY\åeg^yYeÿܧc.rar2017-09-04 11:40:54.0002017-10-23 07:20:43.231&**Û÷ð>wÏKÓ  ?Õ,&  0HW!€‡mwvÏKÓ„ØÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü..\..2017-10-23 07:20:54.154ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\ToHanJY\ToHanJY\(glšgÈ~¥bJT.docx2015-07-17 03:08:32.0002017-10-23 07:20:53.967rati**˜ÜÜŠzÏKÓ  ?Õ,&  0He!€÷ð>wÏKÓ„ØÜMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü..j..2017-10-23 07:20:55.466ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\ToHanJY\ToHanJY\7h,gRg¥bJT2014.05.docx2015-09-24 03:10:02.0002017-10-23 07:20:55.325i˜**Ýür?aÐKÓ  ?Õ,&  0HY!€ÜŠzÏKÓ„ØÝMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü..^..2017-10-23 07:21:00.997ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\ToHanJY\ToHanJY\ƒzÆ[(glš7h,gGl;`.rar2016-04-09 11:48:08.0002017-10-23 07:20:55.857-Sy**ÞÙ»ÂaÐKÓ  ?Õ,&  0Hå!€ür?aÐKÓ„ØÞMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.Zt(, Z>Z2017-10-23 07:27:28.046ŸR à™íY¥ŠÈC:\Program Files\Windows Defender\MpUXSrv.exe"C:\Program Files\Windows Defender\mpuxsrv.exe" -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=2992ACDF75E97C60729739515B1FE54D94BB6303ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchT**øß>¾jcÐKÓ  ?Õ,&  0H¿!€Ù»ÂaÐKÓ„ØßMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.Z2017-10-23 07:27:28.904ŸR à™íY¥ŠÈC:\Program Files\Windows Defender\MpUXSrv.exe ø**àgtEjÐKÓ  ?Õ,&  0HÍ!€>¾jcÐKÓ„ØàMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>J(4 Z>€2017-10-23 07:27:31.639ŸR ã™íYpØŠHC:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x3a8C:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2**˜áê€mjÐKÓ  ?Õ,&  0Ha!€gtEjÐKÓ„ØáMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.x¨(& Zbf2017-10-23 07:27:43.207ŸR ï™íYž.‹¤C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"5ŸR˜**â@d‡sÐKÓ  ?Õ,&  0HÝ!€ê€mjÐKÓ„ØâMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.x2017-10-23 07:27:43.455ŸR ï™íYž.‹¤C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exew**0ãïÐ{tÐKÓ  ?Õ,&  0H÷!€@d‡sÐKÓ„ØãMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(, Z>Z2017-10-23 07:27:58.740ŸR þ™íYÚ‰‹ÄC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchDE.l0**€äåuÐKÓ  ?Õ,&  0HI!€ïÐ{tÐKÓ„ØäMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.¢(„,Z>Z2017-10-23 07:28:00.291ŸR šíY-ž‹ØC:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mcaC:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=40D127EC703ABF34DB66E11E3CD28883E5BFA1B8ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchE.l€**0åêHwÐKÓ  ?Õ,&  0H÷!€åuÐKÓ„ØåMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(, Z>Z2017-10-23 07:28:02.709ŸR šíY“¶‹<C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{7E55A26D-EF95-4A45-9F55-21E52ADF9887}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchrati0**ðæØKèyÐKÓ  ?Õ,&  0H¹!€êHwÐKÓ„ØæMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.F\(, Z>Z2017-10-23 07:28:04.565ŸR šíY½Ò‹DC:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -EmbeddingC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=D45A12637D1E25020AFB92E8BD301DE869C49799ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch28Dð**Øç'™µ}ÐKÓ  ?Õ,&  0H£!€ØKèyÐKÓ„ØçMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:09.440ŸR þ™íYÚ‰‹ÄC:\Windows\System32\dllhost.exeØ**Èèäî}ÐKÓ  ?Õ,&  0H“!€'™µ}ÐKÓ„ØèMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>J(& Z>T2017-10-23 07:28:15.819ŸR šíY&ŒdC:\Windows\System32\consent.execonsent.exe 1012 408 000001F7C2CEDA10C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs.lÈ**ÈéZî€ÐKÓ  ?Õ,&  0H“!€äî}ÐKÓ„ØéMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>J(& Z>T2017-10-23 07:28:16.193ŸR šíY-ŒC:\Windows\System32\consent.execonsent.exe 1012 408 000001F7C1883C40C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsWiÈ**ØêÀ×ÐKÓ  ?Õ,&  0H£!€Zî€ÐKÓ„ØêMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:21.196ŸR šíY-ŒC:\Windows\System32\consent.exe11Ø**(ë>IÐKÓ  ?Õ,&  0Hñ!€À×ÐKÓ„ØëMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(& Z>Z2017-10-23 07:28:21.338ŸR šíYÍ9Œ°C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch8(**(ìQ¿˜ÐKÓ  ?Õ,&  0Hó!€>IÐKÓ„ØìMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(,Z>Z2017-10-23 07:28:21.444ŸR šíY=Œ@ C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{37096FBE-2F09-4FF6-8507-C6E4E1179893}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchunŸ(**¸í"K¨ÐKÓ  ?Õ,&  0H!€Q¿˜ÐKÓ„ØíMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.\â(8 ZZ^2017-10-23 07:28:22.324ŸR šíYþGŒlC:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" GetDeviceTicket -AccessKey 296069A6-BBBE-8CFE-1EEC-76FA4ADF38A5 C:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=B6EE18EAEE2C2308EAD96D622C6435E53F8E517CŸR –«Y’¬C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"07:¸**øîý«‚ƒÐKÓ  ?Õ,&  0HÁ!€"K¨ÐKÓ„ØîMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.\2017-10-23 07:28:22.430ŸR šíYþGŒlC:\Program Files\Windows Defender\MpCmdRun.exe Pø**ØïÏôƒÐKÓ  ?Õ,&  0H£!€ý«‚ƒÐKÓ„ØïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:25.528ŸR šíY&ŒdC:\Windows\System32\consent.exeofØ**Èð×î„ÐKÓ  ?Õ,&  0H“!€ÏôƒÐKÓ„ØðMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>J(& Z>T2017-10-23 07:28:26.220ŸR šíY:uŒÐC:\Windows\System32\consent.execonsent.exe 1012 408 000001F7C2CED850C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsowÈ**Øñ§€l„ÐKÓ  ?Õ,&  0H£!€×î„ÐKÓ„ØñMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:26.476ŸR šíYÍ9Œ°C:\Windows\System32\dllhost.exeØ**ðò؇ì„ÐKÓ  ?Õ,&  0H½!€§€l„ÐKÓ„ØòMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.X2017-10-23 07:28:27.082ŸR :–«YBØÄ C:\Program Files\Windows Defender\NisSrv.exeið**ØóDˆÐKÓ  ?Õ,&  0H£!€Ø‡ì„ÐKÓ„ØóMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:27.884ŸR šíY:uŒÐC:\Windows\System32\consent.exeØ**Øô}þ6‹ÐKÓ  ?Õ,&  0H£!€DˆÐKÓ„ØôMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:33.099ŸR šíY=Œ@ C:\Windows\System32\dllhost.exeØ**ÈõÈ¥ŒÐKÓ  ?Õ,&  0H“!€}þ6‹ÐKÓ„ØõMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>J(& Z>T2017-10-23 07:28:38.478ŸR &šíYÔïŒC:\Windows\System32\consent.execonsent.exe 1012 408 000001F7C1883C40C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs\WÈ**ØöpùŒÐKÓ  ?Õ,&  0H£!€È¥ŒÐKÓ„ØöMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:39.899ŸR &šíYÔïŒC:\Windows\System32\consent.exeØ**(÷è¬6ŒÐKÓ  ?Õ,&  0Hñ!€pùŒÐKÓ„Ø÷Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(& Z>Z2017-10-23 07:28:40.003ŸR (šíY Ô C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunche (**(ø÷’.ÐKÓ  ?Õ,&  0Hó!€è¬6ŒÐKÓ„ØøMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+.>¢(,Z>Z2017-10-23 07:28:40.147ŸR (šíYÒTC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{37096FBE-2F09-4FF6-8507-C6E4E1179893}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch(**ØùãÌSÐKÓ  ?Õ,&  0H£!€÷’.ÐKÓ„ØùMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:45.127ŸR (šíY Ô C:\Windows\System32\dllhost.exeogØm Files\Wind  ?Õ,&  0\Win€ãÌSÐKÓ„ØúMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙ_8pW*ÂàC¿LõiûÙLOCAL SERVICEudp ElfChnkúMúM€HûÀþöíRy“˜óè8=Î÷²›f?øm©MFº&Ó é»+**˜úVèp’ÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H³!€ãÌSÐKÓ„ØúMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé¢å _Ö¡`Ÿ(À›AøÿÿìD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-10-23 07:28:45.375ŸR (šíYÒTC:\Windows\System32\dllhost.exe S˜**0ûÔíO”ÐKÓ  ?Õ,&  0Hý!€Vèp’ÐKÓ„ØûMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ À5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .>J(& Z>T2017-10-23 07:28:50.602ŸR 2šíYc=LC:\Windows\System32\consent.execonsent.exe 1012 408 000001F7C1882200C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsn0**ØüÏÄY”ÐKÓ  ?Õ,&  0H£!€ÔíO”ÐKÓ„ØüMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:53.704ŸR 2šíYc=LC:\Windows\System32\consent.exeerØ**(ý°Íh”ÐKÓ  ?Õ,&  0Hñ!€ÏÄY”ÐKÓ„ØýMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>¢(& Z>Z2017-10-23 07:28:53.794ŸR 5šíYÝZ$C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchE04(**(þAh³”ÐKÓ  ?Õ,&  0Hó!€°Íh”ÐKÓ„ØþMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>¢(,Z>Z2017-10-23 07:28:53.895ŸR 5šíY^C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{37096FBE-2F09-4FF6-8507-C6E4E1179893}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch\W(**ÿ)EÕ•ÐKÓ  ?Õ,&  0HÍ!€Ah³”ÐKÓ„ØÿMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>„(8 Z@@2017-10-23 07:28:54.392ŸR 6šíY•ml C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=FD9154EC5FED8B2EE3A71E95CF62601AC9296509ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe0**Èz•–ÐKÓ  ?Õ,&  0H“!€)EÕ•ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>J(& Z>T2017-10-23 07:28:56.292ŸR 8šíYÇ(C:\Windows\System32\consent.execonsent.exe 1012 408 000001F7C1882AC0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs*È**Øp_c—ÐKÓ  ?Õ,&  0H£!€z•–ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:57.507ŸR 8šíYÇ(C:\Windows\System32\consent.exendØ**Ø~Ö©™ÐKÓ  ?Õ,&  0H£!€p_c—ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:28:58.900ŸR 5šíYÝZ$C:\Windows\System32\dllhost.exetiØ**Ø0¢m·ÐKÓ  ?Õ,&  0H£!€~Ö©™ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:29:02.712ŸR 5šíY^C:\Windows\System32\dllhost.exeØ**@åpyºÐKÓ  ?Õ,&  0H!€0¢m·ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.¢2017-10-23 07:29:52.650ŸR šíY-ž‹ØC:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exeocal@**(Ͷ/¼ÐKÓ  ?Õ,&  0Hï!€åpyºÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime ..P..2017-10-23 07:29:57.760ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\tool-test\tools\tasksche\tasksche.exe2017-05-12 18:21:24.0002017-10-23 07:29:57.619stem(**Èû‰´¼ÐKÓ  ?Õ,&  0H‘!€Í¶/¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .PV8, Z..2017-10-23 07:30:00.629ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" C:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXE„È**˜›´¼ÐKÓ  ?Õ,&  0Ha!€û‰´¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PD..2017-10-23 07:30:01.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\b.wnry2017-05-11 12:13:20.0002017-10-23 07:30:01.4940˜**˜+Tº¼ÐKÓ  ?Õ,&  0Ha!€›´¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PD..2017-10-23 07:30:01.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\c.wnry2017-05-11 12:11:58.0002017-10-23 07:30:01.494˜**° rŽº¼ÐKÓ  ?Õ,&  0H}!€+Tº¼ÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P`..2017-10-23 07:30:01.541ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_bulgarian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.541°**È $ »¼ÐKÓ  ?Õ,&  0H“!€rŽº¼ÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pv..2017-10-23 07:30:01.541ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_chinese (simplified).wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.541*È**È »¼ÐKÓ  ?Õ,&  0H•!€$ »¼ÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Px..2017-10-23 07:30:01.541ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_chinese (traditional).wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.541.È**° du¼¼ÐKÓ  ?Õ,&  0H{!€»¼ÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P^..2017-10-23 07:30:01.541ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_croatian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.541xm°**¨ ~{¼¼ÐKÓ  ?Õ,&  0Hu!€du¼¼ÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PX..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_czech.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.5572¨**°¼¼ÐKÓ  ?Õ,&  0Hw!€~{¼¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_danish.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557EMtc°**¨ÿ„¼¼ÐKÓ  ?Õ,&  0Hu!€¼¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PX..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_dutch.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557s¨**°ÿ6½¼ÐKÓ  ?Õ,&  0Hy!€ÿ„¼¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_english.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557.xm°**°?½¼ÐKÓ  ?Õ,&  0H{!€ÿ6½¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P^..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_filipino.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.5578f°**°Ü¾¼ÐKÓ  ?Õ,&  0Hy!€?½¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_finnish.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557C:\°**°h¾¼ÐKÓ  ?Õ,&  0Hw!€Ü¾¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_french.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557KÓ„°**°|n¾¼ÐKÓ  ?Õ,&  0Hw!€h¾¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_german.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557°**¨¶ê¾¼ÐKÓ  ?Õ,&  0Hu!€|n¾¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PX..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_greek.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557¨**¸m⿼ÐKÓ  ?Õ,&  0H!€¶ê¾¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pb..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_indonesian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557 ?Õ,&¸**°öÐKÓ  ?Õ,&  0Hy!€m⿼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_italian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557-Wi°**°(VÀ¼ÐKÓ  ?Õ,&  0H{!€öÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P^..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_japanese.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.557cr°**°'_À¼ÐKÓ  ?Õ,&  0Hw!€(VÀ¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_korean.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572_8pW*Âà°**°p÷À¼ÐKÓ  ?Õ,&  0Hy!€'_À¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_latvian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.5720°**°¾Á¼ÐKÓ  ?Õ,&  0H}!€p÷À¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P`..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_norwegian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572t°**°–Á¼ÐKÓ  ?Õ,&  0Hw!€¾Á¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_polish.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572.53.°**¸´Á¼ÐKÓ  ?Õ,&  0H!€–Á¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pb..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_portuguese.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572tPip¸**°‹Á¼ÐKÓ  ?Õ,&  0H{!€´Á¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P^..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_romanian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.57269°**°¤Á¼ÐKÓ  ?Õ,&  0Hy!€‹Á¼ÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_russian.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572Sys°**° ÈÁ¼ÐKÓ  ?Õ,&  0Hw!€¤Á¼ÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_slovak.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572 °**°!´"Á¼ÐKÓ  ?Õ,&  0Hy!€ÈÁ¼ÐKÓ„Ø!Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_spanish.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572ies°**°" )Á¼ÐKÓ  ?Õ,&  0Hy!€´"Á¼ÐKÓ„Ø"Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_swedish.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572éÇ°**°#é/Á¼ÐKÓ  ?Õ,&  0Hy!€ )Á¼ÐKÓ„Ø#Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_turkish.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572а**¸$¼4Á¼ÐKÓ  ?Õ,&  0H!€é/Á¼ÐKÓ„Ø$Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pb..2017-10-23 07:30:01.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\msg\m_vietnamese.wnry2010-11-19 20:16:58.0002017-10-23 07:30:01.572Micr¸**˜%=%̼ÐKÓ  ?Õ,&  0Ha!€¼4Á¼ÐKÓ„Ø%Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PD..2017-10-23 07:30:01.587ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\r.wnry2017-05-11 07:59:14.0002017-10-23 07:30:01.572960˜**˜&BμÐKÓ  ?Õ,&  0Ha!€=%̼ÐKÓ„Ø&Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PD..2017-10-23 07:30:01.650ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\s.wnry2017-05-09 08:58:44.0002017-10-23 07:30:01.587 œ—í˜**˜'#μÐKÓ  ?Õ,&  0Ha!€BμÐKÓ„Ø'Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PD..2017-10-23 07:30:01.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\t.wnry2017-05-11 18:22:56.0002017-10-23 07:30:01.650˜** (‘μÐKÓ  ?Õ,&  0Hi!€#μÐKÓ„Ø(Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PL..2017-10-23 07:30:01.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\taskdl.exe2017-05-11 18:22:56.0002017-10-23 07:30:01.666mon ** )μÐKÓ  ?Õ,&  0Hi!€‘μÐKÓ„Ø)Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PL..2017-10-23 07:30:01.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\taskse.exe2017-05-11 18:22:56.0002017-10-23 07:30:01.666H **˜*1Ò¼ÐKÓ  ?Õ,&  0Ha!€μÐKÓ„Ø*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PD..2017-10-23 07:30:01.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\tasksche\u.wnry2017-05-11 18:22:56.0002017-10-23 07:30:01.666˜**À+ý'Û¼ÐKÓ  ?Õ,&  0H‡!€1Ò¼ÐKÓ„Ø+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .<8, ZPV2017-10-23 07:30:01.702ŸR yšíYlêDC:\Windows\SysWOW64\attrib.exeattrib +h .C:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=B84CFB9C22DCBDF91BF5E48D90DE98B7479BF2D2ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ratiÀ**ð,QØÞ¼ÐKÓ  ?Õ,&  0H·!€ý'Û¼ÐKÓ„Ø,Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .<F8, ZPV2017-10-23 07:30:01.751ŸR yšíYÀëüC:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /QC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=6702AD6DA55336C6CBA8FED06BCFF399FA0953EEŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" O\VMð** -ãíÞ¼ÐKÓ  ?Õ,&  0Hi!€QØÞ¼ÐKÓ„Ø-Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>n, Z<2017-10-23 07:30:01.769ŸR yšíY¼ëC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR yšíYlêDC:\Windows\SysWOW64\attrib.exeattrib +h .! **Ð.›B½ÐKÓ  ?Õ,&  0H™!€ãíÞ¼ÐKÓ„Ø.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>n, Z<F2017-10-23 07:30:01.787ŸR yšíYíèC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR yšíYÀëüC:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Qs\EÐ**Ø/àB½ÐKÓ  ?Õ,&  0H¡!€›B½ÐKÓ„Ø/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.<2017-10-23 07:30:02.431ŸR yšíYÀëüC:\Windows\SysWOW64\icacls.exesofØ**Ø0¾|x½ÐKÓ  ?Õ,&  0H£!€àB½ÐKÓ„Ø0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:30:02.431ŸR yšíYíèC:\Windows\System32\conhost.exeØ**Ø1ùy½ÐKÓ  ?Õ,&  0H¡!€¾|x½ÐKÓ„Ø1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.<2017-10-23 07:30:02.791ŸR yšíYlêDC:\Windows\SysWOW64\attrib.exerv.Ø**Ø2‚KŸÀÐKÓ  ?Õ,&  0H£!€ùy½ÐKÓ„Ø2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:30:02.791ŸR yšíY¼ëC:\Windows\System32\conhost.exestØ**È31ÎÀÐKÓ  ?Õ,&  0H•!€‚KŸÀÐKÓ„Ø3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .L8, ZPV2017-10-23 07:30:08.080ŸR €šíYcÀC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 1È**è4eÛÀÐKÓ  ?Õ,&  0H±!€1ÎÀÐKÓ„Ø4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.L2017-10-23 07:30:08.384ŸR €šíYcÀC:\tool-test\tools\tasksche\taskdl.exeowsè**5U_hÁÐKÓ  ?Õ,&  0HÍ!€eÛÀÐKÓ„Ø5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .6b8, ZPV2017-10-23 07:30:08.464ŸR €šíY”g¸C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 56991508743808.batC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=574F512A44097275658F9C304EF0B74029E9EA46ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 7**è6¹t«ÁÐKÓ  ?Õ,&  0H¯!€U_hÁÐKÓ„Ø6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>n, Z6b2017-10-23 07:30:09.390ŸR šíYÓ©äC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR €šíY”g¸C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 56991508743808.bats-Syè**˜7IN´ÁÐKÓ  ?Õ,&  0Hc!€¹t«ÁÐKÓ„Ø7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PF..2017-10-23 07:30:09.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\Sysmon\Eula.txt.WNCRYT2017-06-13 08:52:08.0002017-10-23 07:30:09.82268˜**Ð8á†àÁÐKÓ  ?Õ,&  0H›!€IN´ÁÐKÓ„Ø8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ .>68, Z6b2017-10-23 07:30:09.891ŸR šíYµ¼D C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbsC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=A32B7EB21A1AF72D6097705EA42E8D5169AD91ABŸR €šíY”g¸C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 56991508743808.batexÐ** 9™èÁÐKÓ  ?Õ,&  0Hç!€á†àÁÐKÓ„Ø9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PÊ..2017-10-23 07:30:10.182ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\Noriben-master\Noriben-master\Sample\Noriben_09_Apr_13__20_16_13_368000.csv.WNCRYT2017-07-06 06:48:52.0002017-10-23 07:30:10.134 ** :ãuñÁÐKÓ  ?Õ,&  0Hç!€™èÁÐKÓ„Ø:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PÊ..2017-10-23 07:30:10.229ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\Noriben-master\Noriben-master\Sample\Noriben_09_Apr_13__20_16_13_368000.txt.WNCRYT2017-07-06 06:48:52.0002017-10-23 07:30:10.229st.e **è;/~ÂÐKÓ  ?Õ,&  0H³!€ãuñÁÐKÓ„Ø;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P–..2017-10-23 07:30:10.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\python-evtx-master\python-evtx-master\LICENSE.TXT.WNCRYT2017-07-16 10:15:06.0002017-10-23 07:30:10.291syè**¨<æ<&ÂÐKÓ  ?Õ,&  0Ho!€/~ÂÐKÓ„Ø<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PR..2017-10-23 07:30:10.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\Sysmon\Eula.txt.WNCRYT2017-06-13 08:52:08.0002017-10-23 07:30:10.479 ¨**À=Ìœ7ÂÐKÓ  ?Õ,&  0H‡!€æ<&ÂÐKÓ„Ø=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pj..2017-10-23 07:30:10.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\ToHanJY\ToHanJY\(glšgÈ~¥bJT.docx.WNCRYT2015-07-17 03:08:32.0002017-10-23 07:30:10.557 101À**È>ÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Px..2017-10-23 07:30:10.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\ToHanJY\ToHanJY\7h,gRg¥bJT2014.05.docx.WNCRYT2015-09-24 03:10:02.0002017-10-23 07:30:10.681eÈ**Ø? ŸlÃÐKÓ  ?Õ,&  0H£!€Ú2017-10-23 07:30:12.745ŸR šíYµ¼D C:\Windows\SysWOW64\cscript.exe35Ø**Ð@pþlÃÐKÓ  ?Õ,&  0H›!€ ŸlÃÐKÓ„Ø@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.62017-10-23 07:30:12.776ŸR €šíY”g¸C:\Windows\SysWOW64\cmd.exeWiÐ**ØAFL†ÄÐKÓ  ?Õ,&  0H£!€pþlÃÐKÓ„ØAMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢åé.>2017-10-23 07:30:12.776ŸR šíYÓ©äC:\Windows\System32\conhost.exeWiØ**èBÏÅÄÐKÓ  ?Õ,&  0Hµ!€FL†ÄÐKÓ„ØBMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P˜..2017-10-23 07:30:14.620ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT2017-09-03 05:37:10.1842017-10-23 07:30:14.463mè**C(¦òÊÐKÓ  ?Õ,&  0HÕ!€ÏÅÄÐKÓ„ØCMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P¸..2017-10-23 07:30:15.026ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ThirdPartyNotices.txt.WNCRYT2017-10-23 06:49:37.8622017-10-23 07:30:15.0103**ÈDÔ3ùÊÐKÓ  ?Õ,&  0H•!€(¦òÊÐKÓ„ØDMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Px..2017-10-23 07:30:25.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7066ebe0-1c3f-4020-a492-01fea5b0c66b}\0.0.filtertrie.intermediate.txt.WNCRYT2017-10-23 06:52:22.7052017-10-23 07:30:25.385MÈ**ÈEpËÐKÓ  ?Õ,&  0H•!€Ô3ùÊÐKÓ„ØEMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Px..2017-10-23 07:30:25.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{df2291aa-5853-4d6b-af69-5ac06e193351}\0.0.filtertrie.intermediate.txt.WNCRYT2017-10-23 06:52:18.3152017-10-23 07:30:25.4312È**¸FðZ ËÐKÓ  ?Õ,&  0H!€pËÐKÓ„ØFMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pb..2017-10-23 07:30:25.509ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{17174833-1c45-4c11-a81f-41750c5dee4c}\appsconversions.txt.WNCRYT2016-04-13 08:55:02.0002017-10-23 07:30:25.494&¸**°Gr#ËÐKÓ  ?Õ,&  0Hw!€ðZ ËÐKÓ„ØGMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.PZ..2017-10-23 07:30:25.573ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{17174833-1c45-4c11-a81f-41750c5dee4c}\appsglobals.txt.WNCRYT2016-04-15 08:09:02.0002017-10-23 07:30:25.525.°**°H½BËÐKÓ  ?Õ,&  0Hy!€r#ËÐKÓ„ØHMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P\..2017-10-23 07:30:25.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{17174833-1c45-4c11-a81f-41750c5dee4c}\appssynonyms.txt.WNCRYT2016-04-15 08:09:24.0002017-10-23 07:30:25.573nal°**ÀIfËÐKÓ  ?Õ,&  0H‡!€½BËÐKÓ„ØIMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pj..2017-10-23 07:30:25.604ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{17174833-1c45-4c11-a81f-41750c5dee4c}\settingsconversions.txt.WNCRYT2016-04-13 08:55:02.0002017-10-23 07:30:25.588ñx+À**¸J±™ËÐKÓ  ?Õ,&  0H!€fËÐKÓ„ØJMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pb..2017-10-23 07:30:25.651ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{17174833-1c45-4c11-a81f-41750c5dee4c}\settingsglobals.txt.WNCRYT2016-04-15 08:09:04.0002017-10-23 07:30:25.651onal¸**¸KˆŒ%ËÐKÓ  ?Õ,&  0H!€±™ËÐKÓ„ØKMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.Pd..2017-10-23 07:30:25.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{17174833-1c45-4c11-a81f-41750c5dee4c}\settingssynonyms.txt.WNCRYT2016-04-15 08:09:56.0002017-10-23 07:30:25.666S¸**xLXn+ËÐKÓ  ?Õ,&  0H?!€ˆŒ%ËÐKÓ„ØLMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P"..2017-10-23 07:30:25.729ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131489242020722805.txt.WNCRYT2017-09-03 14:56:57.5412017-10-23 07:30:25.697{370x**xM÷23ËÐKÓ  ?Õ,&  0H?!€Xn+ËÐKÓ„ØMMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+.P"..2017-10-23 07:30:25.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131532151181172397.txt.WNCRYT2017-10-23 06:52:13.2062017-10-23 07:30:25.760\Sysxm32\dllhost.  ?Õ,&  0H€÷23ËÐKÓ„ØNMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü»+ElfChnkNN€0ú0ý/§”ÚùA,óè8=Î÷²›f?øm©MFº&é**ø NØZÌÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H!€÷23ËÐKÓ„ØNMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .P"..2017-10-23 07:30:25.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131532151393102090.txt.WNCRYT2017-10-23 06:52:20.9712017-10-23 07:30:25.8068)ø **èOH&bÌÐKÓ  ?Õ,&  0Hµ!€ØZÌÐKÓ„ØOMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P˜..2017-10-23 07:30:27.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\LICENSE.txt.WNCRYT2017-07-07 20:20:18.0002017-10-23 07:30:27.744yè**èP%âlÍÐKÓ  ?Õ,&  0H¯!€H&bÌÐKÓ„ØPMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P’..2017-10-23 07:30:27.807ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\NEWS.txt.WNCRYT2017-07-07 19:58:02.0002017-10-23 07:30:27.775t-Wiè**Q©ÂÍÐKÓ  ?Õ,&  0HÍ!€%âlÍÐKÓ„ØQMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:29.556ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\CREDITS.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:29.5562**R~ÂÄÍÐKÓ  ?Õ,&  0HË!€©ÂÍÐKÓ„ØRMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:30.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\extend.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.103Wi**SJÎÐKÓ  ?Õ,&  0HÍ!€~ÂÄÍÐKÓ„ØSMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:30.135ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\HISTORY.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.119.**T;Õ@ÎÐKÓ  ?Õ,&  0HÇ!€JÎÐKÓ„ØTMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:30:30.650ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\NEWS.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.619ORK **U¡MAÎÐKÓ  ?Õ,&  0HË!€;Õ@ÎÐKÓ„ØUMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\NEWS2x.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.838ws**V ÚAÎÐKÓ  ?Õ,&  0HË!€¡MAÎÐKÓ„ØVMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\README.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.947Sy**W ¤FÎÐKÓ  ?Õ,&  0HÇ!€ ÚAÎÐKÓ„ØWMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:30:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\TODO.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.947 **XsŸXÎÐKÓ  ?Õ,&  0Hß!€ ¤FÎÐKÓ„ØXMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:30:30.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\idle_test\README.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:30.963\Win**Y+MÎÐKÓ  ?Õ,&  0HÍ!€sŸXÎÐKÓ„ØYMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:31.103ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\lib2to3\Grammar.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:31.103**`Z15!ÏÐKÓ  ?Õ,&  0H)!€+MÎÐKÓ„ØZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:30:31.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\EGG-INFO\SOURCES.txt.WNCRYT2017-09-03 15:58:01.1642017-10-23 07:30:31.46323 `**H[-‚;ÏÐKÓ  ?Õ,&  0H!€15!ÏÐKÓ„Ø[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:30:32.416ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\py-1.4.34-py3.6.egg\EGG-INFO\SOURCES.txt.WNCRYT2017-09-03 15:58:47.5082017-10-23 07:30:32.416onH**P\ÜVÏÐKÓ  ?Õ,&  0H!€-‚;ÏÐKÓ„Ø\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pü..2017-10-23 07:30:32.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest-3.2.1-py3.6.egg\EGG-INFO\SOURCES.txt.WNCRYT2017-09-03 15:57:48.8202017-10-23 07:30:32.588sksP**X]‘¤iÏÐKÓ  ?Õ,&  0H!!€ÜVÏÐKÓ„Ø]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:30:32.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest_cov-2.5.1-py3.6.egg\EGG-INFO\SOURCES.txt.WNCRYT2017-09-03 15:57:25.4142017-10-23 07:30:32.7590-2X**P^àù¶ÏÐKÓ  ?Õ,&  0H!€‘¤iÏÐKÓ„Ø^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pþ..2017-10-23 07:30:32.885ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\setuptools-28.8.0.dist-info\entry_points.txt.WNCRYT2017-09-03 10:33:42.0552017-10-23 07:30:32.8850P**_h‡·ÏÐKÓ  ?Õ,&  0H×!€àù¶ÏÐKÓ„Ø_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:30:33.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cmath_testcases.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.369Micr**`Q·ÏÐKÓ  ?Õ,&  0Hß!€h‡·ÏÐKÓ„Ø`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:30:33.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\exception_hierarchy.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.400smon**a(L»ÏÐKÓ  ?Õ,&  0H×!€Q·ÏÐKÓ„ØaMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:30:33.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\floating_points.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.400:30:**b<´»ÏÐKÓ  ?Õ,&  0Hã!€(L»ÏÐKÓ„ØbMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:30:33.417ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\formatfloat_testcases.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.417he**c%¼ÏÐKÓ  ?Õ,&  0HÇ!€<´»ÏÐKÓ„ØcMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:30:33.431ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\ieee754.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.431glis**dí¼ÏÐKÓ  ?Õ,&  0HÇ!€%¼ÏÐKÓ„ØdMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:30:33.431ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\mailcap.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.4310-23**eÆ÷ÁÏÐKÓ  ?Õ,&  0HÕ!€í¼ÏÐKÓ„ØeMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:30:33.431ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\math_testcases.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.431**fÑqÃÏÐKÓ  ?Õ,&  0HÕ!€Æ÷ÁÏÐKÓ„ØfMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:30:33.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\tokenize_tests.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.463**(gHÛÃÏÐKÓ  ?Õ,&  0Hõ!€ÑqÃÏÐKÓ„ØgMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PØ..2017-10-23 07:30:33.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\euc_jisx0213-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.479w(** h@HÄÏÐKÓ  ?Õ,&  0Hé!€HÛÃÏÐKÓ„ØhMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÌ..2017-10-23 07:30:33.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\euc_jp-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.47930: ** iNÅÏÐKÓ  ?Õ,&  0Hë!€@HÄÏÐKÓ„ØiMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÎ..2017-10-23 07:30:33.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\gb18030-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.479he **jÏýÅÏÐKÓ  ?Õ,&  0Hã!€NÅÏÐKÓ„ØjMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:30:33.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\gbk-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.479y2**(kdvÆÏÐKÓ  ?Õ,&  0Hñ!€ÏýÅÏÐKÓ„ØkMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÔ..2017-10-23 07:30:33.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\iso2022_jp-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.494p÷À¼(**(leIÇÏÐKÓ  ?Õ,&  0Hï!€dvÆÏÐKÓ„ØlMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:30:33.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\shift_jis-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.494KÓ„(**0myóÏÐKÓ  ?Õ,&  0Hù!€eIÇÏÐKÓ„ØmMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÜ..2017-10-23 07:30:33.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\shift_jisx0213-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.494-Sy0**n‘¾ýÏÐKÓ  ?Õ,&  0HÕ!€yóÏÐKÓ„ØnMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:30:33.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\leakers\README.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.791-**oË#þÏÐKÓ  ?Õ,&  0Hå!€‘¾ýÏÐKÓ„ØoMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.854ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_02.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.854t**puƒÐÐKÓ  ?Õ,&  0Hå!€Ë#þÏÐKÓ„ØpMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.854ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_06.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.854\**q•ìÐÐKÓ  ?Õ,&  0Hå!€uƒÐÐKÓ„ØqMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.885ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_07.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.8850**r8EÐÐKÓ  ?Õ,&  0Hå!€•ìÐÐKÓ„ØrMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.885ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_13.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.885**s¼®ÐÐKÓ  ?Õ,&  0Hå!€8EÐÐKÓ„ØsMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.885ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_15.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.885f**tÆÍ ÐÐKÓ  ?Õ,&  0Hå!€¼®ÐÐKÓ„ØtMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.900ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_16.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.900e**uçA ÐÐKÓ  ?Õ,&  0Hå!€ÆÍ ÐÐKÓ„ØuMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_22.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.947:**v6š ÐÐKÓ  ?Õ,&  0Hå!€çA ÐÐKÓ„ØvMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_25.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.947-**wµIÐÐKÓ  ?Õ,&  0Hå!€6š ÐÐKÓ„ØwMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_26.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.9473**x:°ÐÐKÓ  ?Õ,&  0Hå!€µIÐÐKÓ„ØxMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.979ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_38.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.963**y¥”ÐÐKÓ  ?Õ,&  0Hå!€:°ÐÐKÓ„ØyMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.979ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_39.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.979n**z\¢jÐÐKÓ  ?Õ,&  0Hå!€¥”ÐÐKÓ„ØzMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:30:33.979ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_43.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:30:33.9798**{°ÿlÐÐKÓ  ?Õ,&  0HË!€\¢jÐÐKÓ„Ø{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.573ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ar.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.573**| emÐÐKÓ  ?Õ,&  0HÑ!€°ÿlÐÐKÓ„Ø|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:34.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ar_jo.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.588ool**}©½mÐÐKÓ  ?Õ,&  0HÑ!€ emÐÐKÓ„Ø}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:34.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ar_lb.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.588 C–«**~nÐÐKÓ  ?Õ,&  0HÑ!€©½mÐÐKÓ„Ø~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:34.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ar_sy.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.588ws\**WGpÐÐKÓ  ?Õ,&  0HË!€nÐÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\be.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.588<**€]¾pÐÐKÓ  ?Õ,&  0HË!€WGpÐÐKÓ„Ø€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\bg.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.603**qÐÐKÓ  ?Õ,&  0HË!€]¾pÐÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\bn.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.603os**‚ºHqÐÐKÓ  ?Õ,&  0HË!€qÐÐKÓ„Ø‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ca.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.61951**ƒa!rÐÐKÓ  ?Õ,&  0HË!€ºHqÐÐKӄ؃Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\cs.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.619**„ÎSrÐÐKÓ  ?Õ,&  0HË!€a!rÐÐKÓ„Ø„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\da.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.619A4**…âÃrÐÐKÓ  ?Õ,&  0HË!€ÎSrÐÐKÓ„Ø…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\de.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.619st**†RsÐÐKÓ  ?Õ,&  0HÑ!€âÃrÐÐKӄ؆Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:34.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\de_be.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.619.2**‡y%vÐÐKÓ  ?Õ,&  0HË!€RsÐÐKӄ؇Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\el.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.619C:**ˆ.¿vÐÐKÓ  ?Õ,&  0HË!€y%vÐÐKӄ؈Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\eo.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.635of**‰šuwÐÐKÓ  ?Õ,&  0HË!€.¿vÐÐKӄ؉Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.650ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.650on**Š?æwÐÐKÓ  ?Õ,&  0HË!€šuwÐÐKÓ„ØŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.650ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\et.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.650of**‹M®xÐÐKÓ  ?Õ,&  0HË!€?æwÐÐKÓ„Ø‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fa.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.650Sy**Œ¢+yÐÐKÓ  ?Õ,&  0HÑ!€M®xÐÐKÓ„ØŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:34.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fa_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.666nal**@ƒyÐÐKÓ  ?Õ,&  0HË!€¢+yÐÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fi.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.666-2**Ž0zÐÐKÓ  ?Õ,&  0HË!€@ƒyÐÐKÓ„ØŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.666ws**Öf|ÐÐKÓ  ?Õ,&  0HË!€0zÐÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ga.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.666Wi**ß|ÐÐKÓ  ?Õ,&  0HË!€Öf|ÐÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\gv.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.681ca**‘Z:}ÐÐKÓ  ?Õ,&  0HË!€ß|ÐÐKÓ„Ø‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\he.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.697t\**’Ã}ÐÐKÓ  ?Õ,&  0HË!€Z:}ÐÐKÓ„Ø’Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\hi.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.697ag**“[^ÐÐKÓ  ?Õ,&  0HË!€Ã}ÐÐKÓ„Ø“Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\hr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.697-2**”²ÄÐÐKÓ  ?Õ,&  0HË!€[^ÐÐKÓ„Ø”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\hu.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.713**•(€ÐÐKÓ  ?Õ,&  0HË!€²ÄÐÐKÓ„Ø•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\is.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.7135.**–¥j€ÐÐKÓ  ?Õ,&  0HË!€(€ÐÐKÓ„Ø–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\it.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.713-4**—( ÐÐKÓ  ?Õ,&  0HË!€¥j€ÐÐKÓ„Ø—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ja.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.713\M**˜<‡ÐÐKÓ  ?Õ,&  0HË!€( ÐÐKӄؘMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ko.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.713ŸR**™õàÐÐKÓ  ?Õ,&  0HÍ!€<‡ÐÐKÓ„Ø™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:34.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\kok.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.713y**šá3‚ÐÐKÓ  ?Õ,&  0HË!€õàÐÐKÓ„ØšMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\lt.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.728Œ%Ë**›©¸‚ÐÐKÓ  ?Õ,&  0HË!€á3‚ÐÐKÓ„Ø›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\lv.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.728e4**œDQ†ÐÐKÓ  ?Õ,&  0HË!€©¸‚ÐÐKÓ„ØœMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\mk.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.728ws**x܆ÐÐKÓ  ?Õ,&  0HË!€DQ†ÐÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\mr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.759hexeC:\Users\M  ?Õ,&  0How€x܆ÐÐKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®.012017-10-23 07:30:34.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\nb.msg.WNCRYT2017-06-16 12:32:48.000ElfChnkžîžî€û(þ5a–L>ˆ¨Ùóè8=Î÷²›f?øm©MFº&æû­é**€ žr7‡ÐÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H!€x܆ÐÐKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .P®..2017-10-23 07:30:34.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\nb.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.759.t€ **Ÿ袉ÐÐKÓ  ?Õ,&  0HË!€r7‡ÐÐKÓ„ØŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\nl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.759YT** tS‹ÐÐKÓ  ?Õ,&  0HË!€è¢‰ÐÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\nn.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.775:5**¡\,ÐÐKÓ  ?Õ,&  0HË!€tS‹ÐÐKÓ„Ø¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\pl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.791 1**¢.ÇÐÐKÓ  ?Õ,&  0HË!€\,ÐÐKÓ„Ø¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\pt.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.79111**£˜5ŽÐÐKÓ  ?Õ,&  0HË!€.ÇÐÐKÓ„Ø£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.806ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ro.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.806 1**¤–•ŽÐÐKÓ  ?Õ,&  0HË!€˜5ŽÐÐKӄؤMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.806ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ru.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.806:5**¥Œ<ÐÐKÓ  ?Õ,&  0HË!€–•ŽÐÐKÓ„Ø¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.806ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sh.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.80611**¦`ÛÐÐKÓ  ?Õ,&  0HË!€Œ<ÐÐKӄئMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sk.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.82211**§þu‘ÐÐKÓ  ?Õ,&  0HË!€`ÛÐÐKӄاMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.822:5**¨’ÐÐKÓ  ?Õ,&  0HË!€þu‘ÐÐKӄبMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sq.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.82201**©˜“ÐÐKÓ  ?Õ,&  0HË!€’ÐÐKÓ„Ø©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.822YT**ª^8”ÐÐKÓ  ?Õ,&  0HË!€˜“ÐÐKӄتMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.837ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sv.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.837.4**«È©”ÐÐKÓ  ?Õ,&  0HË!€^8”ÐÐKÓ„Ø«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.837ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ta.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.837\P**¬( •ÐÐKÓ  ?Õ,&  0HË!€È©”ÐÐKӄجMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\te.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.853\U**­Óæ–ÐÐKÓ  ?Õ,&  0HË!€( •ÐÐKÓ„Ø­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\th.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.853\t**®™<—ÐÐKÓ  ?Õ,&  0HË!€Óæ–ÐÐKÓ„Ø®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.869ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\tr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.853P**¯£—ÐÐKÓ  ?Õ,&  0HË!€™<—ÐÐKӄدMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.869ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\uk.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.869Wi**°¦˜ÐÐKÓ  ?Õ,&  0HË!€£—ÐÐKÓ„Ø°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.869ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\vi.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.869cr**±:ù²ÐÐKÓ  ?Õ,&  0HË!€¦˜ÐÐKӄرMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:34.869ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\zh.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:30:34.869on**²Ò²¶ÐÐKÓ  ?Õ,&  0HÝ!€:ù²ÐÐKӄزMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:30:35.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\WmDefault.txt.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.041n**³6ó¸ÐÐKÓ  ?Õ,&  0HË!€Ò²¶ÐÐKӄسMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:35.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\demos\en.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.072Wi**´s‡ºÐÐKÓ  ?Õ,&  0HË!€6ó¸ÐÐKÓ„Ø´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:35.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\demos\nl.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.088Wi**µ똽ÐÐKÓ  ?Õ,&  0HÉ!€s‡ºÐÐKӄصMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\cs.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.088-Wi**¶êö½ÐÐKÓ  ?Õ,&  0HÉ!€ë˜½ÐÐKӄضMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\da.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.119sof**·´C¾ÐÐKÓ  ?Õ,&  0HÉ!€êö½ÐÐKÓ„Ø·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\de.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.119icr**¸kn¾ÐÐKÓ  ?Õ,&  0HÉ!€´C¾ÐÐKӄظMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\el.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.119€HÛÃÏ**¹UeÄÐÐKÓ  ?Õ,&  0HÉ!€kn¾ÐÐKӄعMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\en.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.1190**ºDÖÄÐÐKÓ  ?Õ,&  0HÉ!€UeÄÐÐKӄغMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\eo.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.150**»½ÆÐÐKÓ  ?Õ,&  0HÉ!€DÖÄÐÐKÓ„Ø»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\es.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.166**¼_ÔÈÐÐKÓ  ?Õ,&  0HÉ!€½ÆÐÐKӄؼMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\fr.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.166****½ö5ÉÐÐKÓ  ?Õ,&  0HÉ!€_ÔÈÐÐKӄؽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.181ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\hu.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.1813 0**¾”ÉÐÐKÓ  ?Õ,&  0HÉ!€ö5ÉÐÐKӄؾMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.197ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\it.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.197-17**¿»°ÌÐÐKÓ  ?Õ,&  0HÉ!€”ÉÐÐKÓ„Ø¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.197ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\nl.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.197017**ÀXÍÐÐKÓ  ?Õ,&  0HÉ!€»°ÌÐÐKÓ„ØÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.213ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\pl.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.213.tx**ÁîrÍÐÐKÓ  ?Õ,&  0HÉ!€XÍÐÐKÓ„ØÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.213ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\pt.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.213\da**–ÌÍÐÐKÓ  ?Õ,&  0HÉ!€îrÍÐÐKÓ„ØÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:30:35.213ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\ru.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:30:35.213t\t**ÃZ2017-10-23 07:30:53.392ŸR ­šíYj“˜C:\Windows\System32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mcaC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRAppContainerSHA1=0DA61DE2844E7AABBB0D424722E477F95FFA3632ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchersØ**À׸YjÝÐKÓ  ?Õ,&  0H‰!€¸PYÝÐKÓ„Ø×Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pl..2017-10-23 07:30:56.275ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\ToHanJY\ToHanJY\ƒzÆ[(glš7h,gGl;`.rar.WNCRYT2016-04-09 11:48:08.0002017-10-23 07:30:51.619estÀ**ÐØœ«pÝÐKÓ  ?Õ,&  0H›!€¸YjÝÐKÓ„ØØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P~..2017-10-23 07:30:56.370ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\install\caf-dbg.ps1.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:30:56.354.6Ð**ØÙñ}ÝÐKÓ  ?Õ,&  0H£!€œ«pÝÐKÓ„ØÙMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P†..2017-10-23 07:30:56.416ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\install\postInstall.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:30:56.4162Ø**ÐÚ4o~ÝÐKÓ  ?Õ,&  0H™!€ñ}ÝÐKÓ„ØÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P|..2017-10-23 07:30:56.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\vgAuth.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:30:56.494nalÐ**¸Û¬t‹ÝÐKÓ  ?Õ,&  0H!€4o~ÝÐKÓ„ØÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pb..2017-10-23 07:30:56.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\IconCache.db.WNCRYT2017-09-03 05:39:43.0532017-10-23 07:30:56.510¿Lõiû¸**øÜZá£ÝÐKÓ  ?Õ,&  0HÁ!€¬t‹ÝÐKÓ„ØÜMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:30:56.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppBlue.png.WNCRYT2017-10-23 06:46:58.6612017-10-23 07:30:56.556pW*Âàø**Ý°ÝÐKÓ  ?Õ,&  0HË!€Zá£ÝÐKÓ„ØÝMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:56.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppErrorBlue.png.WNCRYT2017-10-23 06:47:04.5052017-10-23 07:30:56.729on**Þ@½½ÝÐKÓ  ?Õ,&  0HÍ!€°ÝÐKÓ„ØÞMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:56.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppErrorWhite.png.WNCRYT2017-10-23 06:47:04.7082017-10-23 07:30:56.807n**øß`çßÝÐKÓ  ?Õ,&  0HÃ!€@½½ÝÐKÓ„ØßMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:30:56.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AppWhite.png.WNCRYT2017-10-23 06:47:04.7862017-10-23 07:30:56.932Syø**àØ:àÝÐKÓ  ?Õ,&  0HÍ!€`çßÝÐKÓ„ØàMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:57.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AutoPlayOptIn.gif.WNCRYT2017-10-23 06:47:04.9112017-10-23 07:30:56.978y**á±OçÝÐKÓ  ?Õ,&  0HÍ!€Ø:àÝÐKÓ„ØáMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:57.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\AutoPlayOptIn.png.WNCRYT2017-10-23 06:47:04.9582017-10-23 07:30:57.151y**âgcñÝÐKÓ  ?Õ,&  0HÑ!€±OçÝÐKÓ„ØâMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:57.198ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\CollectSyncLogs.bat.WNCRYT2017-10-23 06:47:05.0522017-10-23 07:30:57.182mon**ãVûÝÐKÓ  ?Õ,&  0HÑ!€gcñÝÐKÓ„ØãMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:57.260ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ElevatedAppBlue.png.WNCRYT2017-10-23 06:47:05.2862017-10-23 07:30:57.244pW*Âà**äBJÞÐKÓ  ?Õ,&  0HÓ!€VûÝÐKÓ„ØäMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:30:57.307ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ElevatedAppWhite.png.WNCRYT2017-10-23 06:47:05.5522017-10-23 07:30:57.291iû**ðåï&ÞÐKÓ  ?Õ,&  0H½!€BJÞÐKÓ„ØåMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:30:57.369ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\Error.png.WNCRYT2017-10-23 06:47:05.7082017-10-23 07:30:57.338nð**æ2ÍÞÐKÓ  ?Õ,&  0HË!€ï&ÞÐKÓ„ØæMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:57.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\OneDriveLogo.png.WNCRYT2017-10-23 06:46:27.2862017-10-23 07:30:57.431on**ç~æÞÐKÓ  ?Õ,&  0HÍ!€2ÍÞÐKÓ„ØçMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:57.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\QuotaCritical.png.WNCRYT2017-10-23 06:49:10.5962017-10-23 07:30:57.479n**èl ÞÐKÓ  ?Õ,&  0HÇ!€~æÞÐKÓ„ØèMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:30:57.525ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\QuotaError.png.WNCRYT2017-10-23 06:49:11.9242017-10-23 07:30:57.510smon**霣4ÞÐKÓ  ?Õ,&  0HË!€l ÞÐKÓ„ØéMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:57.573ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\QuotaNearing.png.WNCRYT2017-10-23 06:49:13.2212017-10-23 07:30:57.557on**ê3å8ÞÐKÓ  ?Õ,&  0HÑ!€œ£4ÞÐKÓ„ØêMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:57.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\ScreenshotOptIn.gif.WNCRYT2017-10-23 06:49:18.9402017-10-23 07:30:57.651pW*Âà**ø믶=ÞÐKÓ  ?Õ,&  0HÁ!€3å8ÞÐKÓ„ØëMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:30:57.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\Warning.png.WNCRYT2017-10-23 06:49:46.2992017-10-23 07:30:57.728monø**ìèAÞÐKÓ  ?Õ,&  0HÝ!€¯¶=ÞÐKÓ„ØìMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:30:57.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\acmDismissIcon.svg.WNCRYT2017-10-23 06:49:08.4862017-10-23 07:30:57.760û**í0QÞÐKÓ  ?Õ,&  0HË!€èAÞÐKÓ„ØíMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:30:57.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\cloud.svg.WNCRYT2017-10-23 06:49:20.7682017-10-23 07:30:57.791iû**îÅ`ÞÐKÓ  ?Õ,&  0HÙ!€0QÞÐKÓ„ØîMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:30:57.885ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\done_graphic.svg.WNCRYT2017-10-23 06:49:27.8312017-10-23 07:30:57.885sofWindows-Sysm  ?Õ,&  0H0-€Å`ÞÐKÓ„ØïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.on\Pytho2017-10-23 07:30:57.994ŸR xšíYZ×RYT2017-06-16 12:32:48.000ElfChnkï8ï8€èúØýúk˜Û Àóè8=Î÷²›f?øm©MFº&[ä›õé**  mÞÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H»!€Å`ÞÐKÓ„ØïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .PÌ..2017-10-23 07:30:57.994ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder_image_desktop.svg.WNCRYT2017-10-23 06:49:33.7682017-10-23 07:30:57.947  ** ðHmŽÞÐKÓ  ?Õ,&  0Hí!€ŒšmÞÐKÓ„ØðMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÐ..2017-10-23 07:30:58.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder_image_documents.svg.WNCRYT2017-10-23 06:49:38.3622017-10-23 07:30:58.041 ** ñĨšÞÐKÓ  ?Õ,&  0Hë!€HmŽÞÐKÓ„ØñMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÎ..2017-10-23 07:30:58.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder_image_pictures.svg.WNCRYT2017-10-23 06:49:42.0502017-10-23 07:30:58.276 **òÏ)¢ÞÐKÓ  ?Õ,&  0HÓ!€Ä¨šÞÐKÓ„ØòMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:30:58.369ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\iceBucket.svg.WNCRYT2017-10-23 06:49:45.1902017-10-23 07:30:58.3690**ó…$§ÞÐKÓ  ?Õ,&  0HÛ!€Ï)¢ÞÐKÓ„ØóMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:30:58.416ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\onDemandFiles.svg.WNCRYT2017-10-23 06:49:51.9242017-10-23 07:30:58.416** ôe°ÞÐKÓ  ?Õ,&  0Hë!€…$§ÞÐKÓ„ØôMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÎ..2017-10-23 07:30:58.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\onDemandSelectiveSync.svg.WNCRYT2017-10-23 06:49:53.7212017-10-23 07:30:58.447 **õm¹¸ÞÐKÓ  ?Õ,&  0Hß!€e°ÞÐKÓ„ØõMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:30:58.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\onedrivePremium.svg.WNCRYT2017-10-23 06:49:55.2212017-10-23 07:30:58.510Micr**öªƒ½ÞÐKÓ  ?Õ,&  0Hã!€m¹¸ÞÐKÓ„ØöMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:30:58.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\partiallyFreezing.svg.WNCRYT2017-10-23 06:49:59.6592017-10-23 07:30:58.541ow**÷å+ÂÞÐKÓ  ?Õ,&  0HÑ!€ªƒ½ÞÐKÓ„Ø÷Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:30:58.604ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\settings.svg.WNCRYT2017-10-23 06:50:02.5022017-10-23 07:30:58.604-Sy**ø'‰ÉÞÐKÓ  ?Õ,&  0Há!€å+ÂÞÐKÓ„ØøMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:30:58.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\settingsdisabled.svg.WNCRYT2017-10-23 06:50:07.8932017-10-23 07:30:58.635õiû**ùrÛßÞÐKÓ  ?Õ,&  0HÍ!€'‰ÉÞÐKÓ„ØùMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:30:58.682ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\signIn.svg.WNCRYT2017-10-23 06:50:11.3152017-10-23 07:30:58.682û**úŒÙâÞÐKÓ  ?Õ,&  0Hß!€rÛßÞÐKÓ„ØúMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:30:58.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\stackedIceCubes.svg.WNCRYT2017-10-23 06:50:12.8312017-10-23 07:30:58.760t-Wi**ûŸ“óÞÐKÓ  ?Õ,&  0HÕ!€ŒÙâÞÐKÓ„ØûMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:30:58.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\waterGlass.svg.WNCRYT2017-10-23 06:50:16.0492017-10-23 07:30:58.853w**PüGNÿÞÐKÓ  ?Õ,&  0H!€Ÿ“óÞÐKÓ„ØüMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pú..2017-10-23 07:30:58.962ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_107_0.png.WNCRYT2017-10-23 07:28:31.7202017-10-23 07:30:58.900®.P**Pýž¸ßÐKÓ  ?Õ,&  0H!€GNÿÞÐKÓ„ØýMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pú..2017-10-23 07:30:59.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_108_0.png.WNCRYT2017-10-23 07:28:40.5472017-10-23 07:30:59.025C:\tP**èþ’ßÐKÓ  ?Õ,&  0Hµ!€ž¸ßÐKÓ„ØþMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P˜..2017-10-23 07:30:59.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT2017-09-03 05:37:01.4642017-10-23 07:30:59.041è**PÿßÐKÓ  ?Õ,&  0H!€’ßÐKÓ„ØÿMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pþ..2017-10-23 07:30:59.197ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Caches\{33FF5E6A-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT2017-09-03 05:45:16.1632017-10-23 07:30:59.150skP**PP¶YßÐKÓ  ?Õ,&  0H!€ßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pþ..2017-10-23 07:30:59.229ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000009.db.WNCRYT2017-10-23 06:51:43.0502017-10-23 07:30:59.213PrP**ðêdßÐKÓ  ?Õ,&  0H»!€P¶YßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:30:59.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:30:59.229a\ð**ðü\˜ßÐKÓ  ?Õ,&  0H½!€êdßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:30:59.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:30:59.650\ð**ðNò¬ßÐKÓ  ?Õ,&  0H»!€ü\˜ßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:00.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:30:59.760xeð**ðz¨´ßÐKÓ  ?Õ,&  0H»!€Nò¬ßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:00.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:00.072skð**ð¼ßÐKÓ  ?Õ,&  0H½!€z¨´ßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:00.230ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT2017-09-03 05:37:51.8562017-10-23 07:31:00.166sð**ð· ÏßÐKÓ  ?Õ,&  0H½!€¼ßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:00.277ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:00.260oð**øÊŸáßÐKÓ  ?Õ,&  0H¿!€· ÏßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:00.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:00.385testø**ðìüßÐKÓ  ?Õ,&  0H½!€ÊŸáßÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:00.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:00.400tð**ð < àÐKÓ  ?Õ,&  0H½!€ìüßÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:00.698ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:00.541ð**ð ¢5àÐKÓ  ?Õ,&  0H½!€< àÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:00.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:00.6981ð**ø ›FTàÐKÓ  ?Õ,&  0H¿!€¢5àÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:01.010ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:00.963:30:ø**x PÀaàÐKÓ  ?Õ,&  0HE!€›FTàÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:01.276ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\0GGHXPLK\apps.13863.9007199266247335.56f360b7-b4ea-40cb-a5e7-aad3a9b4d929[1].png.WNCRYT2017-09-03 10:42:45.8162017-10-23 07:31:01.260Ux**x ZfàÐKÓ  ?Õ,&  0HE!€PÀaàÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:01.353ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\0GGHXPLK\apps.14793.9007199267163071.55f83110-ba62-4b6a-bc0a-8f12f27a5bb9[1].png.WNCRYT2017-09-03 10:42:46.6282017-10-23 07:31:01.353kx**xò±nàÐKÓ  ?Õ,&  0HC!€ZfàÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P&..2017-10-23 07:31:01.385ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\0GGHXPLK\apps.2362.9007199266246189.fd20b133-f4b5-429b-8165-4a4b899c4923[1].png.WNCRYT2017-09-03 10:44:59.5512017-10-23 07:31:01.385:3x**€mÖràÐKÓ  ?Õ,&  0HG!€ò±nàÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:01.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\0GGHXPLK\apps.42481.13510798886817818.d12e8ef7-c7a8-43df-80b4-6b057491e061[1].png.WNCRYT2017-09-03 10:34:51.4492017-10-23 07:31:01.4470€**xƒÉâÐKÓ  ?Õ,&  0H!€t‹âÐKÓ„Ø.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:04.978ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\ZARGHHBO\2\ab3f8756[1].js.WNCRYT2017-09-03 05:38:22.4972017-10-23 07:31:04.947eDH**H/Ú~éâÐKÓ  ?Õ,&  0H!€j>ÉâÐKÓ„Ø/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:05.384ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\ZARGHHBO\2\bde10b3b[1].js.WNCRYT2017-09-03 05:38:22.8252017-10-23 07:31:05.197pBH**H0¦‚íâÐKÓ  ?Õ,&  0H!€Ú~éâÐKÓ„Ø0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:05.604ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\ZARGHHBO\2\cb8b899e[1].js.WNCRYT2017-09-03 05:38:23.5912017-10-23 07:31:05.4317:H**H16óâÐKÓ  ?Õ,&  0H!€¦‚íâÐKÓ„Ø1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:05.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\ZARGHHBO\2\cba3ade3[1].js.WNCRYT2017-09-03 05:38:22.7942017-10-23 07:31:05.604ÍÞH**¸2W,ýâÐKÓ  ?Õ,&  0Hƒ!€6óâÐKÓ„Ø2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[äÀ5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .@æ@, Z..2017-10-23 07:31:05.666ŸR ¹šíY‡²“˜C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\System32\winevt\Logs\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=967A4A8C5AE701AB8EA069F45764EB09AF4A89D2ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEks¸**H3ÔÝãÐKÓ  ?Õ,&  0H!€W,ýâÐKÓ„Ø3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:05.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\ZARGHHBO\2\d770967b[1].js.WNCRYT2017-09-03 05:38:22.8572017-10-23 07:31:05.682pDH**H4Ág%ãÐKÓ  ?Õ,&  0H!€ÔÝãÐKÓ„Ø4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:05.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\ZARGHHBO\2\e8bd5198[1].js.WNCRYT2017-09-03 05:38:22.6222017-10-23 07:31:05.86969H**ø5Ž?ãÐKÓ  ?Õ,&  0HÃ!€Ág%ãÐKÓ„Ø5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:05.994ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\abstract.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:05.978veø**À68WcãÐKÓ  ?Õ,&  0H‡!€Ž?ãÐKÓ„Ø6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å›õ¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .@2017-10-23 07:31:06.166ŸR ¹šíY‡²“˜C:\Windows\System32\eventvwr.exeAppDÀ**È7´SgãÐKÓ  ?Õ,&  0H“!€8WcãÐKÓ„Ø7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[ä.>J(& Z>T2017-10-23 07:31:06.408ŸR ºšíYx¸“C:\Windows\System32\consent.execonsent.exe 1012 476 000001F7C02E1240C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs20È**ð8c,nãÐKÓ  ?Õ,&  0H»!€´SgãÐKÓ„Ø8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:06.431ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\accu.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.41623ð6:49:27.8312  ?Õ,&  0H ?Õ,€c,nãÐKÓ„Ø9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pdows-S2017-10-23 07:31:06.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeRYT2017-06-16 12:32:48.000ElfChnk9ˆ9ˆ€xüxÿ]{°^’i^óè8=Î÷²›f?øm©MFº&[Z[˜é**p 9ØžpãÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H!€c,nãÐKÓ„Ø9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .Pž..2017-10-23 07:31:06.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\asdl.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.46301p **:ô¢sãÐKÓ  ?Õ,&  0HÑ!€ØžpãÐKÓ„Ø:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:06.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\bytearrayobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.4793 0**;H.‘ãÐKÓ  ?Õ,&  0HÉ!€ô¢sãÐKÓ„Ø;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:06.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\bytesobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.510WNC**<¯ ’ãÐKÓ  ?Õ,&  0HÍ!€H.‘ãÐKÓ„Ø<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:31:06.698ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\bytes_methods.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.698g**ð=ò­•ãÐKÓ  ?Õ,&  0H½!€¯ ’ãÐKÓ„Ø=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:06.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\ceval.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.698oð**>±¿˜ãÐKÓ  ?Õ,&  0HÉ!€ò­•ãÐKÓ„Ø>Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:06.729ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\classobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.72930\**ð?@ÀãÐKÓ  ?Õ,&  0H»!€±¿˜ãÐKÓ„Ø?Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:06.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\code.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.744t\ð**ø@zìÀãÐKÓ  ?Õ,&  0H¿!€@ÀãÐKÓ„Ø@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:07.009ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\codecs.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:06.916ata\ø**øAO´ÉãÐKÓ  ?Õ,&  0HÁ!€zìÀãÐKÓ„ØAMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:07.009ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\compile.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.009ersø**BBÑËãÐKÓ  ?Õ,&  0HÍ!€O´ÉãÐKÓ„ØBMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:31:07.073ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\complexobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.073U**øCñžúãÐKÓ  ?Õ,&  0HÃ!€BÑËãÐKÓ„ØCMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:07.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\datetime.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.073e\ø**DïüãÐKÓ  ?Õ,&  0HÉ!€ñžúãÐKÓ„ØDMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:07.384ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\descrobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.384he\**E-füãÐKÓ  ?Õ,&  0HÇ!€ïüãÐKÓ„ØEMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:07.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\dictobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.400\too**F´äÐKÓ  ?Õ,&  0HÙ!€-füãÐKÓ„ØFMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:07.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\dynamic_annotations.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.400s\t**øGþ¨8äÐKÓ  ?Õ,&  0HÁ!€´äÐKÓ„ØGMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:07.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\errcode.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.6190-2ø**Hå…?äÐKÓ  ?Õ,&  0HÇ!€þ¨8äÐKÓ„ØHMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:07.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\fileobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.791/Ope**øI"5näÐKÓ  ?Õ,&  0HÅ!€å…?äÐKÓ„ØIMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:07.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\fileutils.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:07.838lø**J¬@‰äÐKÓ  ?Õ,&  0HÉ!€"5näÐKÓ„ØJMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:08.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\floatobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:08.150pW*Âà**KÅÍäÐKÓ  ?Õ,&  0HÉ!€¬@‰äÐKÓ„ØKMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:08.323ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\frameobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:08.323„**Lü`ÍäÐKÓ  ?Õ,&  0HÇ!€ÅÍäÐKÓ„ØLMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:08.759ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\funcobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:08.759**øMr:ÚäÐKÓ  ?Õ,&  0HÅ!€ü`ÍäÐKÓ„ØMMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:08.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\genobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:08.775ø**øN‘)áäÐKÓ  ?Õ,&  0HÃ!€r:ÚäÐKÓ„ØNMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:08.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\graminit.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:08.823crø**øO óüäÐKÓ  ?Õ,&  0HÁ!€‘)áäÐKÓ„ØOMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:08.900ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\grammar.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:08.900sofø**øP;åÐKÓ  ?Õ,&  0H¿!€ óüäÐKÓ„ØPMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:09.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\import.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.088t-Wiø**Q^ÁåÐKÓ  ?Õ,&  0HÇ!€;åÐKÓ„ØQMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:09.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\listobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.150s-Sy**RñåÐKÓ  ?Õ,&  0HÉ!€^ÁåÐKÓ„ØRMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:09.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\longintrepr.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.228mon**SüGåÐKÓ  ?Õ,&  0HÇ!€ñåÐKÓ„ØSMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:09.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\longobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.228¿Lõiû**T3ÆåÐKÓ  ?Õ,&  0H[!€üGåÐKÓ„ØTMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[ZÀ5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .>¢(& Z>Z2017-10-23 07:31:09.239ŸR ½šíY‡Ï“( C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch01**U?Ô åÐKÓ  ?Õ,&  0HË!€3ÆåÐKÓ„ØUMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:09.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\memoryobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.29199**VÆ@åÐKÓ  ?Õ,&  0HË!€?Ô åÐKÓ„ØVMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:09.323ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\methodobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.323ca**Wk=LåÐKÓ  ?Õ,&  0HÇ!€Æ@åÐKÓ„ØWMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:09.525ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\modsupport.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.525ool-**XÎÚUåÐKÓ  ?Õ,&  0HË!€k=LåÐKÓ„ØXMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:09.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\moduleobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.603 t**ðY_åÐKÓ  ?Õ,&  0H»!€ÎÚUåÐKÓ„ØYMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:09.666ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\node.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.666ð**øZ–-`åÐKÓ  ?Õ,&  0H¿!€_åÐKÓ„ØZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:09.729ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\object.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.666 ?Õ,&ø**ø[¤4fåÐKÓ  ?Õ,&  0HÁ!€–-`åÐKÓ„Ø[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:09.729ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\objimpl.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.729017ø**\yÌfåÐKÓ  ?Õ,&  0HÉ!€¤4fåÐKÓ„Ø\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:09.776ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\odictobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.776246**ø]Cb€åÐKÓ  ?Õ,&  0H¿!€yÌfåÐKÓ„Ø]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:09.776ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\opcode.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.776Locaø**ø^Ñ}†åÐKÓ  ?Õ,&  0HÃ!€Cb€åÐKÓ„Ø^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:09.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\parsetok.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:09.947\tø**È_žÀ­åÐKÓ  ?Õ,&  0H•!€Ñ}†åÐKÓ„Ø_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[Z.L8, ZPV2017-10-23 07:31:09.968ŸR ½šíY³à“ÀC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" eÈ**`œ,®åÐKÓ  ?Õ,&  0HÇ!€žÀ­åÐKÓ„Ø`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:10.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\patchlevel.h.WNCRYT2017-07-07 19:58:02.0002017-10-23 07:31:10.24410-2**abU´åÐKÓ  ?Õ,&  0HÉ!€œ,®åÐKÓ„ØaMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:10.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pgenheaders.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.244sof**øb°´åÐKÓ  ?Õ,&  0HÁ!€bU´åÐKÓ„ØbMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:10.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyarena.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.275Hø**øcYk¸åÐKÓ  ?Õ,&  0HÃ!€°´åÐKÓ„ØcMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:10.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyatomic.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.2911:ø**ød—’ÃåÐKÓ  ?Õ,&  0HÅ!€Yk¸åÐKÓ„ØdMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:10.307ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pycapsule.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.307bø**øeåÌÅåÐKÓ  ?Õ,&  0HÃ!€—’ÃåÐKÓ„ØeMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:10.385ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyconfig.h.WNCRYT2017-06-17 11:57:20.0002017-10-23 07:31:10.307IEø**øf¾ÐÛåÐKÓ  ?Õ,&  0HÁ!€åÌÅåÐKÓ„ØfMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:10.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyctype.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.400askø**¸gY>ÝåÐKÓ  ?Õ,&  0H…!€¾ÐÛåÐKÓ„ØgMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å[˜¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-10-23 07:31:10.541ŸR ºšíYx¸“C:\Windows\System32\consent.exee¸**(hîUõåÐKÓ  ?Õ,&  0Hñ!€Y>ÝåÐKÓ„ØhMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[Z.>¢(& Z>Z2017-10-23 07:31:10.562ŸR ¾šíY£ú“HC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchoft(**øiæÐKÓ  ?Õ,&  0HÁ!€îUõåÐKÓ„ØiMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:10.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pydebug.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.713tooø**øjüãæÐKÓ  ?Õ,&  0HÃ!€æÐKÓ„ØjMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:10.823ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pydtrace.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.823alø**0kÔ;æÐKÓ  ?Õ,&  0Hý!€üãæÐKÓ„ØkMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[Z.@æ(,Z..2017-10-23 07:31:10.888ŸR ¾šíY÷”˜ C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=967A4A8C5AE701AB8EA069F45764EB09AF4A89D2ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXE\0**ølÒQæÐKÓ  ?Õ,&  0HÃ!€Ô;æÐKÓ„ØlMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:11.056ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyerrors.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:10.823ø**øm"ØiæÐKÓ  ?Õ,&  0HÁ!€ÒQæÐKÓ„ØmMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:11.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyexpat.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:11.119sofø**ðn!jæÐKÓ  ?Õ,&  0H½!€"ØiæÐKÓ„ØnMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:11.134ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyfpe.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:11.134ð**øo|jæÐKÓ  ?Õ,&  0H¿!€!jæÐKÓ„ØoMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:11.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pyhash.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:11.1661.miø**pË/jæÐKÓ  ?Õ,&  0HÉ!€|jæÐKÓ„ØpMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:11.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pylifecycle.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:11.1663d8**q¬·æÐKÓ  ?Õ,&  0H±!€ã§›æÐKÓ„ØyMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å[˜.L2017-10-23 07:31:11.807ŸR ½šíY³à“ÀC:\tool-test\tools\tasksche\taskdl.exe tè**øzQn·æÐKÓ  ?Õ,&  0H¿!€¾>·æÐKÓ„ØzMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:11.978ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\Python.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:11.900¿Lõiûø**ø{ ‰ÂæÐKÓ  ?Õ,&  0HÅ!€Qn·æÐKÓ„Ø{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:11.978ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pythonrun.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:11.978ø**ø|2)ÈæÐKÓ  ?Õ,&  0HÃ!€ ‰ÂæÐKÓ„Ø|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:12.056ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pythread.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.056ø**ø}PÉæÐKÓ  ?Õ,&  0H¿!€2)ÈæÐKÓ„Ø}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:12.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pytime.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.0885.19ø**ø~.ÐæÐKÓ  ?Õ,&  0HÅ!€PÉæÐKÓ„Ø~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:12.103ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\py_curses.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.103-ø**øÀÔæÐKÓ  ?Õ,&  0HÅ!€.ÐæÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:12.134ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\setobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.134cø**€®“ÝæÐKÓ  ?Õ,&  0HÉ!€ÀÔæÐKÓ„Ø€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:12.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\sliceobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.150Aÿÿ7**±ÛâæÐKÓ  ?Õ,&  0HË!€®“ÝæÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:12.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\structmember.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.228\e**0‚¢4ææÐKÓ  ?Õ,&  0H÷!€±ÛâæÐKÓ„Ø‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx[Z.6"(,Z@ä2017-10-23 07:31:12.269ŸR ÀšíYåh”ŒC:\Windows\System32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=CF7AD4F94EDA214BD5283CB8AD57DB52D2D558FCŸR ¾šíY÷”˜ C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"7b[10**øƒ©ÃææÐKÓ  ?Õ,&  0HÅ!€¢4ææÐKӄ؃Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:12.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\structseq.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.2912ø**ø„œ çæÐKÓ  ?Õ,&  0HÃ!€©ÃææÐKÓ„Ø„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:12.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\symtable.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.291Prø**ø…(èæÐKÓ  ?Õ,&  0HÅ!€œ çæÐKÓ„Ø…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:12.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\sysmodule.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.291ø**ð†‹‹ÿæÐKÓ  ?Õ,&  0H½!€(èæÐKӄ؆Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:12.306ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\token.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.306sð**ø‡?çÐKÓ  ?Õ,&  0HÅ!€‹‹ÿæÐKӄ؇Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:12.448ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\traceback.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.448ø**ˆ¢ý,çÐKÓ  ?Õ,&  0HÉ!€?çÐKӄ؈Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:12.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\tupleobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.572\tool-test\t  ?Õ,&eRYT2017-06-16 12:32€¢ý,çÐKÓElfChnk‰Ú‰Ú€0ûþäh íV†-tóè8=Î÷²›f?øm©MFº&£é**x ‰9›-çÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H—!€¢ý,çÐKӄ؉Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .P¨..2017-10-23 07:31:12.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\typeslots.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.745x **øŠ;(3çÐKÓ  ?Õ,&  0HÁ!€9›-çÐKÓ„ØŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:12.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\ucnhash.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.760479ø**‹.3çÐKÓ  ?Õ,&  0HÍ!€;(3çÐKÓ„Ø‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:31:12.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\unicodeobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.7600**øŒIÈ3çÐKÓ  ?Õ,&  0HÃ!€.3çÐKÓ„ØŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:12.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\warnings.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.7751:ø**À'NçÐKÓ  ?Õ,&  0H‡!€IÈ3çÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å£¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .@2017-10-23 07:31:12.806ŸR ¾šíY÷”˜ C:\Windows\System32\eventvwr.exe1:57À**Ž¤†UçÐKÓ  ?Õ,&  0HÍ!€'NçÐKÓ„ØŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:31:12.978ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\weakrefobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:12.9781**5YçÐKÓ  ?Õ,&  0HÙ!€¤†UçÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:13.025ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\idle_16.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.025-23**œ\YçÐKÓ  ?Õ,&  0HÙ!€5YçÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:13.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\idle_16.png.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.04116**‘*]çÐKÓ  ?Õ,&  0HÙ!€œ\YçÐKÓ„Ø‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:13.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\idle_32.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.041B**’ƒ…]çÐKÓ  ?Õ,&  0HÙ!€*]çÐKÓ„Ø’Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:13.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\idle_32.png.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.072**“Ç^çÐKÓ  ?Õ,&  0HÙ!€ƒ…]çÐKÓ„Ø“Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:13.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\idle_48.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.072**” ¥açÐKÓ  ?Õ,&  0HÙ!€Ç^çÐKÓ„Ø”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:13.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\idle_48.png.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.072**€•7fçÐKÓ  ?Õ,&  0HG!€ ¥açÐKÓ„Ø•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:13.104ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\coverage_html.js.WNCRYT2017-09-03 15:58:00.9292017-10-23 07:31:13.104ndow€**€–ÒlçÐKÓ  ?Õ,&  0HI!€7fçÐKÓ„Ø–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P,..2017-10-23 07:31:13.135ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\jquery.hotkeys.js.WNCRYT2017-09-03 15:58:00.9612017-10-23 07:31:13.135 t€**ˆ— †çÐKÓ  ?Õ,&  0HO!€ÒlçÐKÓ„Ø—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P2..2017-10-23 07:31:13.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\jquery.isonscreen.js.WNCRYT2017-09-03 15:58:00.9612017-10-23 07:31:13.166ls\tˆ**x˜H©—çÐKÓ  ?Õ,&  0HA!€ †çÐKӄؘMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P$..2017-10-23 07:31:13.338ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\jquery.min.js.WNCRYT2017-09-03 15:58:00.9612017-10-23 07:31:13.197s\Px**™Š=¨çÐKÓ  ?Õ,&  0HY!€H©—çÐKÓ„Ø™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P<..2017-10-23 07:31:13.448ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\jquery.tablesorter.min.js.WNCRYT2017-09-03 15:58:01.0082017-10-23 07:31:13.431-10**8šÌF³çÐKÓ  ?Õ,&  0H!€Š=¨çÐKÓ„ØšMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pä..2017-10-23 07:31:13.557ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pip\_vendor\requests\cacert.pem.WNCRYT2017-09-03 10:33:48.3202017-10-23 07:31:13.526L8**›ÿL³çÐKÓ  ?Õ,&  0HÇ!€ÌF³çÐKÓ„Ø›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:13.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\allsans.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.635M**œÊÏÂçÐKÓ  ?Õ,&  0HÇ!€ÿL³çÐKÓ„ØœMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:13.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\badcert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.635‘)áä**ø$³ÊçÐKÓ  ?Õ,&  0HÅ!€ÊÏÂçÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:13.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\badkey.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.728äø**ž äÐçÐKÓ  ?Õ,&  0HÕ!€$³ÊçÐKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:13.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\keycert.passwd.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.791**ŸÑçÐKÓ  ?Õ,&  0HÇ!€ äÐçÐKÓ„ØŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:13.823ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\keycert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.823** µÒçÐKÓ  ?Õ,&  0HÉ!€ÑçÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:13.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\keycert2.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.838**¡‡ÒçÐKÓ  ?Õ,&  0HÉ!€µÒçÐKÓ„Ø¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:13.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\keycert3.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.838**¢WP×çÐKÓ  ?Õ,&  0HÉ!€‡ÒçÐKÓ„Ø¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:13.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\keycert4.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.838**ø£Á¨×çÐKÓ  ?Õ,&  0HÃ!€WP×çÐKÓ„Ø£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:13.870ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\nokia.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.870ø**¤ŸÜçÐKÓ  ?Õ,&  0HÑ!€Á¨×çÐKӄؤMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:13.870ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\nullbytecert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.870tem**¥.wÜçÐKÓ  ?Õ,&  0HÉ!€ŸÜçÐKÓ„Ø¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:13.901ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\pycacert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.901**¦`ÖÜçÐKÓ  ?Õ,&  0HÇ!€.wÜçÐKӄئMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:13.901ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\pycakey.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.901Z×**ø§ªûäçÐKÓ  ?Õ,&  0HÅ!€`ÖÜçÐKӄاMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:13.901ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\sha256.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.901ø**¨G÷çÐKÓ  ?Õ,&  0HÇ!€ªûäçÐKӄبMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:13.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\testtar.tar.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:13.916xšíY**©NO èÐKÓ  ?Õ,&  0HË!€G÷çÐKÓ„Ø©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:14.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\wrongcert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.072**ª¼èÐKÓ  ?Õ,&  0Hã!€NO èÐKӄتMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:14.213ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\audiodata\pluck-pcm16.wav.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.119oo**«èÐKÓ  ?Õ,&  0Hã!€¼èÐKÓ„Ø«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:14.275ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\audiodata\pluck-pcm24.wav.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.260sk**¬ÈèÐKÓ  ?Õ,&  0Hã!€èÐKӄجMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:14.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\audiodata\pluck-pcm32.wav.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.291rs**­ACèÐKÓ  ?Õ,&  0Há!€ÈèÐKÓ„Ø­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:14.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\audiodata\pluck-pcm8.wav.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.291ppD**®èÐKÓ  ?Õ,&  0HÛ!€ACèÐKÓ„Ø®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:14.322ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\imghdrdata\python.bmp.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.322Pr**¯ë8èÐKÓ  ?Õ,&  0HÝ!€èÐKӄدMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:14.322ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\imghdrdata\python.tiff.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.322s**°Fð8èÐKÓ  ?Õ,&  0Hã!€ë8èÐKÓ„Ø°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:14.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_asyncio\keycert3.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.495**±<%IèÐKÓ  ?Õ,&  0Hã!€Fð8èÐKӄرMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:14.510ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_asyncio\pycacert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.510l-**²V¦MèÐKÓ  ?Õ,&  0Hß!€<%IèÐKӄزMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:14.620ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\venv\scripts\nt\Activate.ps1.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:14.620ls\t**ø³êþ‹èÐKÓ  ?Õ,&  0H¿!€V¦MèÐKӄسMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:14.650ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tclConfig.sh.WNCRYT2017-06-16 12:39:28.0002017-10-23 07:31:14.650ls\tø**´q„šèÐKÓ  ?Õ,&  0Hã!€êþ‹èÐKÓ„Ø´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:15.057ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\demos\bitmaps\tix.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:14.666he**µ·ïšèÐKÓ  ?Õ,&  0HÕ!€q„šèÐKӄصMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:15.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\Bisque.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.150U**¶´›èÐKÓ  ?Õ,&  0HÑ!€·ïšèÐKӄضMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:15.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\Blue.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.150MNW**·/œèÐKÓ  ?Õ,&  0HÑ!€´›èÐKÓ„Ø·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:15.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\Gray.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.150age**¸mÌ´èÐKÓ  ?Õ,&  0H×!€/œèÐKӄظMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:15.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\SGIGray.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.166A-F1**¹Ä1¸èÐKÓ  ?Õ,&  0H×!€mÌ´èÐKӄعMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:15.323ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\TixGray.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.323¤.**º¾¸èÐKÓ  ?Õ,&  0HÓ!€Ä1¸èÐKӄغMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:15.338ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\TkWin.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.3387-**»­2»èÐKÓ  ?Õ,&  0HÛ!€Â¾¸èÐKÓ„Ø»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:15.353ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\WmDefault.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.353.**¼§¨»èÐKÓ  ?Õ,&  0Hß!€­2»èÐKӄؼMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:15.370ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\demos\images\earth.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.3700**½sV¾èÐKÓ  ?Õ,&  0Hå!€§¨»èÐKӄؽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:15.370ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\demos\images\earthris.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.370æ**¾ˆÉ¾èÐKÓ  ?Õ,&  0Há!€sV¾èÐKӄؾMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:15.385ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\demos\images\ouster.png.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.385**¿vˆÃèÐKÓ  ?Õ,&  0Hã!€ˆÉ¾èÐKÓ„Ø¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:15.385ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\demos\images\tcllogo.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.385Sy**À,4ÄèÐKÓ  ?Õ,&  0H×!€vˆÃèÐKÓ„ØÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:15.416ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\logo100.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.416¿Lõiû**Áö ÅèÐKÓ  ?Õ,&  0HÕ!€,4ÄèÐKÓ„ØÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:15.416ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\logo64.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.416r**Âl\ÅèÐKÓ  ?Õ,&  0HÛ!€ö ÅèÐKÓ„ØÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:15.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\logoLarge.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.432Wi**ÃC&ÈèÐKÓ  ?Õ,&  0H×!€l\ÅèÐKÓ„ØÃMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:15.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\logoMed.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.432smon**ÄD¿ÈèÐKÓ  ?Õ,&  0Hß!€C&ÈèÐKÓ„ØÄMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:15.448ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\pwrdLogo100.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.448 t**ÅœðÈèÐKÓ  ?Õ,&  0Hß!€D¿ÈèÐKÓ„ØÅMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:15.448ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\pwrdLogo150.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.448.2**ÆÂÎÉèÐKÓ  ?Õ,&  0Hß!€œðÈèÐKÓ„ØÆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:15.448ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\pwrdLogo175.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.448:31:**Ç‹BÊèÐKÓ  ?Õ,&  0Hß!€ÂÎÉèÐKÓ„ØÇMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:15.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\pwrdLogo200.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.463Z×**È—ÊèÐKÓ  ?Õ,&  0HÝ!€‹BÊèÐKÓ„ØÈMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:15.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\pwrdLogo75.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.463t**ÉœÐËèÐKÓ  ?Õ,&  0HÕ!€—ÊèÐKÓ„ØÉMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:15.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\images\tai-ku.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:15.463s**ØÊ-ÖèÐKÓ  ?Õ,&  0H£!€œÐËèÐKÓ„ØÊMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å£.>2017-10-23 07:31:15.479ŸR ½šíY‡Ï“( C:\Windows\System32\dllhost.exel-Ø**ˈÞÚèÐKÓ  ?Õ,&  0HÇ!€-ÖèÐKÓ„ØËMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:15.541ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\InputMethod\Chs\ChsPinyinUDL.dat.bak.WNCRYT2017-09-03 10:37:49.7992017-10-23 07:31:15.525test**ØÌ5ÕéÐKÓ  ?Õ,&  0H£!€ˆÞÚèÐKÓ„ØÌMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å£.>2017-10-23 07:31:15.572ŸR ¾šíY£ú“HC:\Windows\System32\dllhost.exeØ**È;JÕéÐKÓ  ?Õ,&  0H!€5ÕéÐKÓ„ØÍMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:17.181ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db2017-10-23 07:31:17.1812017-10-23 07:31:17.1810È**ÀÎÎoÕéÐKÓ  ?Õ,&  0H!€¾JÕéÐKÓ„ØÎMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db2017-10-23 07:31:17.1972017-10-23 07:31:17.197À**ÀÏRxÕéÐKÓ  ?Õ,&  0H!€ÎoÕéÐKÓ„ØÏMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db2017-10-23 07:31:17.1972017-10-23 07:31:17.1971À**ÀÐ-†ÕéÐKÓ  ?Õ,&  0H!€RxÕéÐKÓ„ØÐMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db2017-10-23 07:31:17.1972017-10-23 07:31:17.1977À**ÀÑ®ÕéÐKÓ  ?Õ,&  0H!€-†ÕéÐKÓ„ØÑMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db2017-10-23 07:31:17.1972017-10-23 07:31:17.197oÀ**ÈÒ ™ÕéÐKÓ  ?Õ,&  0H!€®ÕéÐKÓ„ØÒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db2017-10-23 07:31:17.1972017-10-23 07:31:17.197ythoÈ**ÈÓ¤¡ÕéÐKÓ  ?Õ,&  0H!€ ™ÕéÐKÓ„ØÓMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db2017-09-03 05:37:49.8552017-09-03 05:37:49.855dowsÈ**ÈÔôªÕéÐKÓ  ?Õ,&  0H‘!€¤¡ÕéÐKÓ„ØÔMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..–..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db2017-09-03 05:37:49.8552017-09-03 05:37:49.855icrÈ**ÈÕܲÕéÐKÓ  ?Õ,&  0H‘!€ôªÕéÐKÓ„ØÕMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..–..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db2017-09-03 05:37:49.8552017-09-03 05:37:49.855ludÈ**ÈÖEºÕéÐKÓ  ?Õ,&  0H‘!€Ü²ÕéÐKÓ„ØÖMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..–..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db2017-09-03 05:37:49.8552017-09-03 05:37:49.855s\PÈ**À×^ÂÕéÐKÓ  ?Õ,&  0H!€EºÕéÐKÓ„Ø×Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db2017-09-03 05:37:49.8712017-09-03 05:37:49.871WÀ**ÈØùÉÕéÐKÓ  ?Õ,&  0H‘!€^ÂÕéÐKÓ„ØØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..–..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db2017-09-03 05:37:49.8712017-09-03 05:37:49.871he\È**ÈÙÏÑÕéÐKÓ  ?Õ,&  0H‘!€ùÉÕéÐKÓ„ØÙMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..–..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db2017-09-03 05:37:49.8712017-09-03 05:37:49.871ol-È**ØÚÀØÕéÐKÓ  ?Õ,&  0H¥!€ÏÑÕéÐKÓ„ØÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..ª..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db2017-09-03 05:37:49.8712017-09-03 05:37:49.871ØYZ×C:\too  ?Õ,&  0HMN€ÀØÕéÐKÓ„ØÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..7:31:12017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXE-06-16 12:32€¢ý,çÐKÓElfChnkÛ)Û)€ûþx¯<%6+„óè8=Î÷²›f?øm©MFº&é**X ÛE}zïÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0Hu!€ÀØÕéÐKÓ„ØÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime ..¨..2017-10-23 07:31:17.197ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db2017-09-03 05:37:49.8712017-09-03 05:37:49.871-2X ** ÜØ—ðÐKÓ  ?Õ,&  0Hg!€E}zïÐKÓ„ØÜMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PJ..2017-10-23 07:31:26.682ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\ToHanJY.zip.WNCRYT2017-10-23 07:20:26.7792017-10-23 07:31:15.572nhas **ØÝöàðÐKÓ  ?Õ,&  0H¥!€Ø—ðÐKÓ„ØÝMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pˆ..2017-10-23 07:31:27.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\Noriben-master\Noriben-master\postexec.txt.WNCRYT2017-07-06 06:48:52.0002017-10-23 07:31:27.4633Ø**(Þ]îðÐKÓ  ?Õ,&  0Hï!€öàðÐKÓ„ØÞMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:31:27.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\python-evtx-master\python-evtx-master\python_evtx.egg-info\dependency_links.txt.WNCRYT2017-09-03 15:26:59.5392017-10-23 07:31:27.588gs.h(**ß|òðÐKÓ  ?Õ,&  0Hß!€]îðÐKÓ„ØßMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:27.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\python-evtx-master\python-evtx-master\python_evtx.egg-info\requires.txt.WNCRYT2017-09-03 15:26:59.5392017-10-23 07:31:27.588vent**ॎ ðÐKÓ  ?Õ,&  0HÝ!€|òðÐKÓ„ØàMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:27.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\python-evtx-master\python-evtx-master\python_evtx.egg-info\SOURCES.txt.WNCRYT2017-09-03 15:26:59.5712017-10-23 07:31:27.5889**áÄðÐKÓ  ?Õ,&  0Há!€¥Ž ðÐKÓ„ØáMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:27.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\tool-test\tools\python-evtx-master\python-evtx-master\python_evtx.egg-info\top_level.txt.WNCRYT2017-09-03 15:26:59.5392017-10-23 07:31:27.635-23**ðâëÈðÐKÓ  ?Õ,&  0H½!€ÄðÐKÓ„ØâMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:27.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\installProviderHeader.bat.WNCRYT2017-03-16 23:36:14.0002017-10-23 07:31:27.681 ð**(ãÿÒðÐKÓ  ?Õ,&  0Hó!€ëÈðÐKÓ„ØãMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÖ..2017-10-23 07:31:27.698ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\invokers\cafTestInfra_CafTestInfraProvider_1_0_0.bat.WNCRYT2017-03-16 23:36:14.0002017-10-23 07:31:27.69841(**äöÖðÐKÓ  ?Õ,&  0HÕ!€ÿÒðÐKÓ„ØäMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:27.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\invokers\caf_ConfigProvider_1_0_0.bat.WNCRYT2017-03-16 23:36:14.0002017-10-23 07:31:27.7293**åfÉðÐKÓ  ?Õ,&  0H×!€öÖðÐKÓ„ØåMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:27.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\invokers\caf_InstallProvider_1_0_0.bat.WNCRYT2017-03-16 23:36:14.0002017-10-23 07:31:27.7441:13**æò×#ðÐKÓ  ?Õ,&  0Hã!€fÉðÐKÓ„ØæMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:27.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\invokers\caf_RemoteCommandProvider_1_0_0.bat.WNCRYT2017-03-16 23:36:14.0002017-10-23 07:31:27.74472**(ç]ò#ðÐKÓ  ?Õ,&  0Hó!€ò×#ðÐKÓ„ØçMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÖ..2017-10-23 07:31:27.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\persistence\protocol\amqpBroker_default\uri_amqp.txt.WNCRYT2017-09-03 05:38:37.3022017-10-23 07:31:27.74401(**0è•$ðÐKÓ  ?Õ,&  0H÷!€]ò#ðÐKÓ„ØèMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÚ..2017-10-23 07:31:27.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\data\input\persistence\protocol\amqpBroker_default\uri_tunnel.txt.WNCRYT2017-09-03 05:38:37.3182017-10-23 07:31:27.775over0**Ðéí$ðÐKÓ  ?Õ,&  0H›!€•$ðÐKÓ„ØéMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P~..2017-10-23 07:31:27.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\install\GuidGen.vbs.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.775a\Ð**èêQ-$ðÐKÓ  ?Õ,&  0H³!€í$ðÐKÓ„ØêMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P–..2017-10-23 07:31:27.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\is-listener-running.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.7911:è**àëà/,ðÐKÓ  ?Õ,&  0H§!€Q-$ðÐKÓ„ØëMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PŠ..2017-10-23 07:31:27.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\is-ma-running.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.791¿Lõiûà**ØìJœ3ðÐKÓ  ?Õ,&  0H£!€à/,ðÐKÓ„ØìMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P†..2017-10-23 07:31:27.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\setUpVgAuth.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.853Ø**àí X:ðÐKÓ  ?Õ,&  0H©!€Jœ3ðÐKÓ„ØíMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PŒ..2017-10-23 07:31:27.900ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\start-listener.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.885-10à**ÐîH;ðÐKÓ  ?Õ,&  0H!€ X:ðÐKÓ„ØîMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P€..2017-10-23 07:31:27.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\start-ma.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.9316Ð**èïsÔFðÐKÓ  ?Õ,&  0H³!€H;ðÐKÓ„ØïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P–..2017-10-23 07:31:27.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\start-VGAuthService.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.947.Wè**àð ÚIðÐKÓ  ?Õ,&  0H§!€sÔFðÐKÓ„ØðMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PŠ..2017-10-23 07:31:28.026ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\stop-listener.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:27.978b\teà**Ðñ"ÞIðÐKÓ  ?Õ,&  0H›!€ ÚIðÐKÓ„ØñMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P~..2017-10-23 07:31:28.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\stop-ma.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:28.041hoÐ**èòGOðÐKÓ  ?Õ,&  0H±!€"ÞIðÐKÓ„ØòMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P”..2017-10-23 07:31:28.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\stop-VGAuthService.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:28.041ocaè**àóKOðÐKÓ  ?Õ,&  0H©!€GOðÐKÓ„ØóMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PŒ..2017-10-23 07:31:28.057ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\ProgramData\VMware\VMware CAF\pme\scripts\tearDownVgAuth.bat.WNCRYT2017-03-16 23:36:16.0002017-10-23 07:31:28.057MNWà**èôõ#UðÐKÓ  ?Õ,&  0Hµ!€KOðÐKÓ„ØôMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P˜..2017-10-23 07:31:28.057ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRYT2017-09-03 05:46:07.5062017-10-23 07:31:28.057eè**øõüLYðÐKÓ  ?Õ,&  0HÅ!€õ#UðÐKÓ„ØõMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:28.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\alertIcon.png.WNCRYT2017-10-23 06:46:13.3492017-10-23 07:31:28.104eø**öH©[ðÐKÓ  ?Õ,&  0HÑ!€üLYðÐKÓ„ØöMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:28.135ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\blurrect.png.WNCRYT2017-10-23 06:49:10.1432017-10-23 07:31:28.135exe**÷†­[ðÐKÓ  ?Õ,&  0Hå!€H©[ðÐKÓ„Ø÷Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:28.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_finished.svg.WNCRYT2017-10-23 06:49:11.5642017-10-23 07:31:28.151\**øÜlaðÐKÓ  ?Õ,&  0Hã!€†­[ðÐKÓ„ØøMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:28.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_hovered.svg.WNCRYT2017-10-23 06:49:12.9092017-10-23 07:31:28.151a\** ù¶¸fðÐKÓ  ?Õ,&  0Hë!€ÜlaðÐKÓ„ØùMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÎ..2017-10-23 07:31:28.197ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_in_progress.svg.WNCRYT2017-10-23 06:49:14.3312017-10-23 07:31:28.197\P **úÅhnðÐKÓ  ?Õ,&  0Hå!€¶¸fðÐKÓ„ØúMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:28.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\checkmark_selected.svg.WNCRYT2017-10-23 06:49:15.6892017-10-23 07:31:28.228n**ûrxnðÐKÓ  ?Õ,&  0HÏ!€ÅhnðÐKÓ„ØûMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P²..2017-10-23 07:31:28.260ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\chevron.svg.WNCRYT2017-10-23 06:49:18.0182017-10-23 07:31:28.2602\Li**üÙHtðÐKÓ  ?Õ,&  0HÓ!€rxnðÐKÓ„ØüMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:28.275ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\chevronUp.svg.WNCRYT2017-10-23 06:49:19.4552017-10-23 07:31:28.275te**ý¸'|ðÐKÓ  ?Õ,&  0HÓ!€ÙHtðÐKÓ„ØýMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:28.322ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\errorIcon.svg.WNCRYT2017-10-23 06:49:30.0492017-10-23 07:31:28.322\a**þ U|ðÐKÓ  ?Õ,&  0HÍ!€¸'|ðÐKÓ„ØþMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:31:28.370ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\folder.svg.WNCRYT2017-10-23 06:49:32.1272017-10-23 07:31:28.3703**ÿTðÐKÓ  ?Õ,&  0HÏ!€ U|ðÐKÓ„ØÿMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P²..2017-10-23 07:31:28.370ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\loading.svg.WNCRYT2017-10-23 06:49:46.7522017-10-23 07:31:28.370n\Py** ˜ðÐKÓ  ?Õ,&  0Hß!€TðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:28.401ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\loading_spinner.svg.WNCRYT2017-10-23 06:49:48.2372017-10-23 07:31:28.401n\Py**÷–ðÐKÓ  ?Õ,&  0HÙ!€ ˜ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:28.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\overflowIcon.svg.WNCRYT2017-10-23 06:49:56.8152017-10-23 07:31:28.463tho**­À²ðÐKÓ  ?Õ,&  0Hã!€÷–ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:28.541ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\images\overflowIconWhite.svg.WNCRYT2017-10-23 06:49:58.2062017-10-23 07:31:28.533Py**øâ ³ðÐKÓ  ?Õ,&  0H¿!€­À²ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:28.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.681ograø**øL*³ðÐKÓ  ?Õ,&  0H¿!€â ³ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:28.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.681AppDø**øð=³ðÐKÓ  ?Õ,&  0H¿!€L*³ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:28.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.681C:\Uø**ðZR³ðÐKÓ  ?Õ,&  0H½!€ð=³ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:28.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.681sð**ð\g³ðÐKÓ  ?Õ,&  0H»!€ZR³ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:28.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.697\tð**‹zµðÐKÓ  ?Õ,&  0HÑ!€\g³ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:28.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.697est**ø OŒµðÐKÓ  ?Õ,&  0H¿!€‹zµðÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:28.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.713C:\tø**ð UšµðÐKÓ  ?Õ,&  0H»!€OŒµðÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:28.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.728ŸRð**ø E{ºðÐKÓ  ?Õ,&  0H¿!€UšµðÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:28.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.728:31:ø** ÍãºðÐKÓ  ?Õ,&  0HÓ!€E{ºðÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:28.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT2017-09-03 05:37:51.8712017-10-23 07:31:28.72807**ø éP¼ðÐKÓ  ?Õ,&  0HÁ!€ÍãºðÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:28.728ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:28.728.2ø**øÌY¼ðÐKÓ  ?Õ,&  0HÁ!€éP¼ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:28.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:28.791Pø**øQ[ÂðÐKÓ  ?Õ,&  0HÁ!€ÌY¼ðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:28.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:28.791 tø**øæeÃðÐKÓ  ?Õ,&  0H¿!€Q[ÂðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:28.807ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT2017-09-03 05:37:49.8552017-10-23 07:31:28.791smonø**AwÃðÐKÓ  ?Õ,&  0HÓ!€æeÃðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:28.823ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT2017-09-03 05:37:49.8712017-10-23 07:31:28.823ow**ø½„ÃðÐKÓ  ?Õ,&  0HÁ!€AwÃðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:28.823ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT2017-09-03 05:37:49.8712017-10-23 07:31:28.823õiûø**ðã’ÃðÐKÓ  ?Õ,&  0H½!€½„ÃðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:28.823ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT2017-09-03 05:37:49.8712017-10-23 07:31:28.823ið**ø@§ÅðÐKÓ  ?Õ,&  0HÁ!€ã’ÃðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:28.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT2017-09-03 05:37:49.8712017-10-23 07:31:28.823ø**3ˆÛðÐKÓ  ?Õ,&  0HÕ!€@§ÅðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:28.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT2017-09-03 05:37:49.8712017-10-23 07:31:28.838**€FŽÛðÐKÓ  ?Õ,&  0HG!€3ˆÛðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:28.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\0GGHXPLK\apps.16813.13510798883380398.c156632d-f870-458a-af83-ac5814380598[1].png.WNCRYT2017-09-03 10:42:47.7692017-10-23 07:31:28.900smon€**x’ÛðÐKÓ  ?Õ,&  0HC!€FŽÛðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P&..2017-10-23 07:31:28.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\0GGHXPLK\apps.4694.9007199266246189.669af1ab-b3bd-4b7b-a131-f6fe8476b864[1].png.WNCRYT2017-09-03 10:44:59.8162017-10-23 07:31:28.9631:x**xä0çðÐKÓ  ?Õ,&  0HE!€’ÛðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:28.978ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\3FKDGKJ6\apps.15158.9007199267163071.05e06c13-c5a6-4b55-aa49-95ac316ff92b[1].png.WNCRYT2017-09-03 10:42:46.2542017-10-23 07:31:28.978kx**x»BçðÐKÓ  ?Õ,&  0HE!€ä0çðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:29.025ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\3FKDGKJ6\apps.26551.9007199266247335.0cc859a2-c4d3-4330-8a31-6437882572d5[1].png.WNCRYT2017-09-03 10:42:46.2542017-10-23 07:31:29.025Px**xlPçðÐKÓ  ?Õ,&  0HE!€»BçðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:29.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\JDS3T8OV\apps.12435.9007199266249034.cf984ab6-2604-4832-8715-191bd6defd0a[1].png.WNCRYT2017-09-03 10:42:47.7692017-10-23 07:31:29.025gx**€TçðÐKÓ  ?Õ,&  0HG!€lPçðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:29.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\JDS3T8OV\apps.12487.13510798886817818.7dec88af-baca-4d07-9640-c367cd6b514b[1].png.WNCRYT2017-09-03 10:34:51.5192017-10-23 07:31:29.04115.4€**x5éðÐKÓ  ?Õ,&  0HE!€TçðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:29.056ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\JDS3T8OV\apps.47093.9007199267163071.afa2c461-b588-4b32-97c1-b7daddc7d914[1].png.WNCRYT2017-09-03 10:42:47.7692017-10-23 07:31:29.056x**xäÏòðÐKÓ  ?Õ,&  0HE!€5éðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:29.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\JDS3T8OV\apps.56061.9007199266249034.5136ebed-648b-4f7a-a268-f36d676e4a3f[1].png.WNCRYT2017-09-03 10:42:46.2072017-10-23 07:31:29.088Wx**€NnñÐKÓ  ?Õ,&  0HG!€äÏòðÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:29.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\K8SU5EHQ\apps.34814.13510798886817818.b5349390-adce-47ba-af28-d73dc589d98b[1].png.WNCRYT2017-09-03 10:34:51.6662017-10-23 07:31:29.151Micr€**€¼…ñÐKÓ  ?Õ,&  0HG!€NnñÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:29.213ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\K8SU5EHQ\apps.49529.13510798886817818.a52a1b49-6add-42f5-989d-fd5af2c0d6cf[1].png.WNCRYT2017-09-03 10:34:51.3502017-10-23 07:31:29.182017-€**x òVñÐKÓ  ?Õ,&  0HE!€¼…ñÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P(..2017-10-23 07:31:29.229ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\K8SU5EHQ\apps.63578.9007199267163071.f2756185-4638-47e0-9958-1ed9aa60f2a0[1].png.WNCRYT2017-09-03 10:42:47.1132017-10-23 07:31:29.229Wx**x!hñÐKÓ  ?Õ,&  0HC!€òVñÐKÓ„Ø!Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P&..2017-10-23 07:31:29.322ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\INetCache\IE\K8SU5EHQ\apps.7247.9007199266249034.87c32a6c-500a-4373-a33e-e9781e51c848[1].png.WNCRYT2017-09-03 10:42:47.1132017-10-23 07:31:29.244Õéx**ˆ"¨ñÐKÓ  ?Õ,&  0HQ!€hñÐKÓ„Ø"Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P4..2017-10-23 07:31:29.338ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\AppCache\9LKT1B89\1\9e62b100[1].js.WNCRYT2017-09-03 15:55:50.3132017-10-23 07:31:29.322pW*Âàˆ**(#-·ñÐKÓ  ?Õ,&  0Hï!€¨ñÐKÓ„Ø#Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:31:29.369ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\LogSettings.txt.WNCRYT2017-09-03 10:28:04.8092017-10-23 07:31:29.338üé(**È$Ž»ñÐKÓ  ?Õ,&  0H•!€-·ñÐKÓ„Ø$Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Px..2017-10-23 07:31:29.384ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7066ebe0-1c3f-4020-a492-01fea5b0c66b}\0.1.filtertrie.intermediate.txt.WNCRYT2017-10-23 06:52:22.8152017-10-23 07:31:29.384\È**È%À¾ñÐKÓ  ?Õ,&  0H•!€Ž»ñÐKÓ„Ø%Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Px..2017-10-23 07:31:29.384ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7066ebe0-1c3f-4020-a492-01fea5b0c66b}\0.2.filtertrie.intermediate.txt.WNCRYT2017-10-23 06:52:22.8622017-10-23 07:31:29.384È**È&QÂñÐKÓ  ?Õ,&  0H•!€À¾ñÐKÓ„Ø&Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Px..2017-10-23 07:31:29.384ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{df2291aa-5853-4d6b-af69-5ac06e193351}\0.1.filtertrie.intermediate.txt.WNCRYT2017-10-23 06:52:18.3782017-10-23 07:31:29.3847È**È'r˜ñÐKÓ  ?Õ,&  0H•!€QÂñÐKÓ„Ø'Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Px..2017-10-23 07:31:29.384ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{df2291aa-5853-4d6b-af69-5ac06e193351}\0.2.filtertrie.intermediate.txt.WNCRYT2017-10-23 06:52:18.3942017-10-23 07:31:29.384:È**ð(îN%ñÐKÓ  ?Õ,&  0H¹!€r˜ñÐKÓ„Ø(Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pœ..2017-10-23 07:31:29.431ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\ast.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.38403 ð**ø)T%ñÐKÓ  ?Õ,&  0H¿!€îN%ñÐKÓ„Ø)Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:29.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\bitset.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.47971øYZ×C:\too  ?Õ,&  0HMN€T%ñÐKÓ„Ø*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P7:31:12017-10-23 07:31:29.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe€¢ý,çÐKÓElfChnk*w*w€ðúþî1R_`»Ðóè8=Î÷²›f?øm©MFº&é**€ *b,ñÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H›!€T%ñÐKÓ„Ø*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .P¬..2017-10-23 07:31:29.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\bltinmodule.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.479?Õ,&€ **+¡«4ñÐKÓ  ?Õ,&  0HÇ!€b,ñÐKÓ„Ø+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:29.526ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\boolobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.510€Ø—ð**,'ü4ñÐKÓ  ?Õ,&  0HÇ!€¡«4ñÐKÓ„Ø,Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:29.573ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\cellobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.573Micr**ð-G5ñÐKÓ  ?Õ,&  0H»!€'ü4ñÐKÓ„Ø-Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:29.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\dtoa.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.588ð**. ¿7ñÐKÓ  ?Õ,&  0HÇ!€G5ñÐKÓ„Ø.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:29.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\enumobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.588 **ð/m8ñÐKÓ  ?Õ,&  0H»!€ ¿7ñÐKÓ„Ø/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:29.604ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\eval.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.588ð**ø0Ú]8ñÐKÓ  ?Õ,&  0HÅ!€m8ñÐKÓ„Ø0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:29.604ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\intrcheck.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.604ø**1Kô=ñÐKÓ  ?Õ,&  0HÇ!€Ú]8ñÐKÓ„Ø1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:29.604ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\iterobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.604**ø2bø=ñÐKÓ  ?Õ,&  0HÁ!€Kô=ñÐKÓ„Ø2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¤..2017-10-23 07:31:29.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\marshal.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.63541ø**3 ü=ñÐKÓ  ?Õ,&  0HÉ!€bø=ñÐKÓ„Ø3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:29.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\metagrammar.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.6357.7**4&€EñÐKÓ  ?Õ,&  0HÑ!€ ü=ñÐKÓ„Ø4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:29.651ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\namespaceobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.63527.**ø5¤ÔKñÐKÓ  ?Õ,&  0H¿!€&€EñÐKÓ„Ø5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¢..2017-10-23 07:31:29.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\osdefs.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.6970020ø**ø6hÛKñÐKÓ  ?Õ,&  0HÃ!€¤ÔKñÐKÓ„Ø6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:29.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\osmodule.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.697T2ø**ð7âßKñÐKÓ  ?Õ,&  0H»!€hÛKñÐKÓ„Ø7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pž..2017-10-23 07:31:29.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pgen.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.697r_ð**ø8IãKñÐKÓ  ?Õ,&  0HÃ!€âßKñÐKÓ„Ø8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:29.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pygetopt.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.697enø**ø9XæKñÐKÓ  ?Õ,&  0HÃ!€IãKñÐKÓ„Ø9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:29.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pystrcmp.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.697NCø**ø:ú&MñÐKÓ  ?Õ,&  0HÃ!€XæKñÐKÓ„Ø:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:29.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\pystrhex.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.6976 ø**;òaRñÐKÓ  ?Õ,&  0HÉ!€ú&MñÐKÓ„Ø;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:29.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\include\rangeobject.h.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.7287-1** <ÃœXñÐKÓ  ?Õ,&  0Hë!€òaRñÐKÓ„Ø<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÎ..2017-10-23 07:31:29.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\ctypes\macholib\fetch_macholib.bat.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.775;ð **=AÉXñÐKÓ  ?Õ,&  0HÇ!€ÃœXñÐKÓ„Ø=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:29.775ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\idle.bat.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.775**>‹ïXñÐKÓ  ?Õ,&  0H×!€AÉXñÐKÓ„Ø>Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:29.807ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\folder.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.791H**?¯ynñÐKÓ  ?Õ,&  0HÝ!€‹ïXñÐKÓ„Ø?Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:29.807ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\minusnode.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.807**@š°nñÐKÓ  ?Õ,&  0Hß!€¯ynñÐKÓ„Ø@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:29.900ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\openfolder.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.807¿Lõiû**AönñÐKÓ  ?Õ,&  0HÛ!€š°nñÐKÓ„ØAMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:29.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\plusnode.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.932Sy**BOoñÐKÓ  ?Õ,&  0H×!€önñÐKÓ„ØBMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:29.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\python.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.932üé**C3f~ñÐKÓ  ?Õ,&  0HÏ!€OoñÐKÓ„ØCMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P²..2017-10-23 07:31:29.948ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\idlelib\Icons\tk.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:29.932.2**Dã€ñÐKÓ  ?Õ,&  0HÛ!€3f~ñÐKÓ„ØDMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:30.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\lib2to3\PatternGrammar.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.05707**E<šˆñÐKÓ  ?Õ,&  0H×!€ã€ñÐKÓ„ØEMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:30.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\README.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.072:31:** F3Ÿ‰ñÐKÓ  ?Õ,&  0Hk!€<šˆñÐKÓ„ØFMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PN..2017-10-23 07:31:30.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\jquery.ba-throttle-debounce.min.js.WNCRYT2017-09-03 15:58:00.9452017-10-23 07:31:30.119NW **€G¢=ñÐKÓ  ?Õ,&  0HG!€3Ÿ‰ñÐKÓ„ØGMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P*..2017-10-23 07:31:30.136ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\keybd_closed.png.WNCRYT2017-09-03 15:58:01.0242017-10-23 07:31:30.119830\€**xHvZñÐKÓ  ?Õ,&  0HC!€¢=ñÐKÓ„ØHMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P&..2017-10-23 07:31:30.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\coverage\htmlfiles\keybd_open.png.WNCRYT2017-09-03 15:58:01.0242017-10-23 07:31:30.1500-x**pI¢oñÐKÓ  ?Õ,&  0H;!€vZñÐKÓ„ØIMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\EGG-INFO\dependency_links.txt.WNCRYT2017-09-03 15:58:01.1642017-10-23 07:31:30.150Htðp**hJê‚ñÐKÓ  ?Õ,&  0H3!€¢oñÐKÓ„ØJMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\EGG-INFO\entry_points.txt.WNCRYT2017-09-03 15:58:01.1642017-10-23 07:31:30.150h**hK¯”ñÐKÓ  ?Õ,&  0H1!€ê‚ñÐKÓ„ØKMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\EGG-INFO\native_libs.txt.WNCRYT2017-09-03 15:58:01.1642017-10-23 07:31:30.150monh**`Lâ‘ñÐKÓ  ?Õ,&  0H-!€¯”ñÐKÓ„ØLMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\coverage-4.4.1-py3.6-win32.egg\EGG-INFO\top_level.txt.WNCRYT2017-09-03 15:58:01.1792017-10-23 07:31:30.150t`**@Meè‘ñÐKÓ  ?Õ,&  0H !€â‘ñÐKÓ„ØMMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pî..2017-10-23 07:31:30.182ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pip-9.0.1.dist-info\entry_points.txt.WNCRYT2017-09-03 10:33:50.0862017-10-23 07:31:30.182-2@**8N"í‘ñÐKÓ  ?Õ,&  0H!€eè‘ñÐKÓ„ØNMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pè..2017-10-23 07:31:30.198ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pip-9.0.1.dist-info\top_level.txt.WNCRYT2017-09-03 10:33:50.1332017-10-23 07:31:30.1828**XO(0—ñÐKÓ  ?Õ,&  0H%!€"í‘ñÐKÓ„ØOMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.198ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\py-1.4.34-py3.6.egg\EGG-INFO\dependency_links.txt.WNCRYT2017-09-03 15:58:47.5082017-10-23 07:31:30.198\X**PP?4—ñÐKÓ  ?Õ,&  0H!€(0—ñÐKÓ„ØPMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pú..2017-10-23 07:31:30.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\py-1.4.34-py3.6.egg\EGG-INFO\top_level.txt.WNCRYT2017-09-03 15:58:47.5232017-10-23 07:31:30.228PRO\P**`QF>—ñÐKÓ  ?Õ,&  0H+!€?4—ñÐKÓ„ØQMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest-3.2.1-py3.6.egg\EGG-INFO\dependency_links.txt.WNCRYT2017-09-03 15:57:48.7892017-10-23 07:31:30.228_1`**XRCA—ñÐKÓ  ?Õ,&  0H#!€F>—ñÐKÓ„ØRMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest-3.2.1-py3.6.egg\EGG-INFO\entry_points.txt.WNCRYT2017-09-03 15:57:48.7892017-10-23 07:31:30.228 0X**PSQ›œñÐKÓ  ?Õ,&  0H!€CA—ñÐKÓ„ØSMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pþ..2017-10-23 07:31:30.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest-3.2.1-py3.6.egg\EGG-INFO\requires.txt.WNCRYT2017-09-03 15:57:48.8202017-10-23 07:31:30.228P**PTJ¤ñÐKÓ  ?Õ,&  0H!€Q›œñÐKÓ„ØTMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest-3.2.1-py3.6.egg\EGG-INFO\top_level.txt.WNCRYT2017-09-03 15:57:48.8202017-10-23 07:31:30.244P**hU‹S¢ñÐKÓ  ?Õ,&  0H3!€J¤ñÐKÓ„ØUMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.259ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest_cov-2.5.1-py3.6.egg\EGG-INFO\dependency_links.txt.WNCRYT2017-09-03 15:57:25.3832017-10-23 07:31:30.259Wih**`V×w§ñÐKÓ  ?Õ,&  0H+!€‹S¢ñÐKÓ„ØVMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.275ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest_cov-2.5.1-py3.6.egg\EGG-INFO\entry_points.txt.WNCRYT2017-09-03 15:57:25.3832017-10-23 07:31:30.2757-`**XWº§ñÐKÓ  ?Õ,&  0H#!€×w§ñÐKÓ„ØWMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest_cov-2.5.1-py3.6.egg\EGG-INFO\requires.txt.WNCRYT2017-09-03 15:57:25.4142017-10-23 07:31:30.291ksX**XXˆ~¯ñÐKÓ  ?Õ,&  0H%!€º§ñÐKÓ„ØXMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\pytest_cov-2.5.1-py3.6.egg\EGG-INFO\top_level.txt.WNCRYT2017-09-03 15:57:25.4142017-10-23 07:31:30.291iX**XYcã¯ñÐKÓ  ?Õ,&  0H#!€ˆ~¯ñÐKÓ„ØYMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\setuptools-28.8.0.dist-info\dependency_links.txt.WNCRYT2017-09-03 10:33:42.0392017-10-23 07:31:30.29180X**HZxJ¿ñÐKÓ  ?Õ,&  0H!€cã¯ñÐKÓ„ØZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pø..2017-10-23 07:31:30.338ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\setuptools-28.8.0.dist-info\top_level.txt.WNCRYT2017-09-03 10:33:42.0702017-10-23 07:31:30.3380H**`[©©¿ñÐKÓ  ?Õ,&  0H'!€xJ¿ñÐKÓ„Ø[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P ..2017-10-23 07:31:30.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\six-1.10.0-py3.6.egg\EGG-INFO\dependency_links.txt.WNCRYT2017-09-03 15:57:52.5862017-10-23 07:31:30.432`**H\#°¿ñÐKÓ  ?Õ,&  0H!€©©¿ñÐKÓ„Ø\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pø..2017-10-23 07:31:30.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\six-1.10.0-py3.6.egg\EGG-INFO\SOURCES.txt.WNCRYT2017-09-03 15:57:52.6012017-10-23 07:31:30.447H**P]A´¿ñÐKÓ  ?Õ,&  0H!€#°¿ñÐKÓ„Ø]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pü..2017-10-23 07:31:30.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\site-packages\six-1.10.0-py3.6.egg\EGG-INFO\top_level.txt.WNCRYT2017-09-03 15:57:52.6012017-10-23 07:31:30.447monP**ø^ç·¿ñÐKÓ  ?Õ,&  0HÅ!€A´¿ñÐKÓ„Ø^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:30.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\dh1024.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.463nø**ø_¼¿ñÐKÓ  ?Õ,&  0HÃ!€ç·¿ñÐKÓ„Ø_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:30.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\empty.vbs.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.494*Âàø**`ªöÅñÐKÓ  ?Õ,&  0HÉ!€¼¿ñÐKÓ„Ø`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:30.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\nullcert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.494õiû**(aàWÍñÐKÓ  ?Õ,&  0Hï!€ªöÅñÐKÓ„ØaMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:31:30.525ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\selfsigned_pythontestdotnet.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.525ndow(**bDÙÔñÐKÓ  ?Õ,&  0HÉ!€àWÍñÐKÓ„ØbMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¬..2017-10-23 07:31:30.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\ssl_cert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.572€FŽÛð**cŸ,ÜñÐKÓ  ?Õ,&  0HÕ!€DÙÔñÐKÓ„ØcMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¸..2017-10-23 07:31:30.635ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\ssl_key.passwd.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.588ð**dB:æñÐKÓ  ?Õ,&  0HÇ!€Ÿ,ÜñÐKÓ„ØdMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pª..2017-10-23 07:31:30.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\ssl_key.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.681CRYT**eqíñÐKÓ  ?Õ,&  0HÑ!€B:æñÐKÓ„ØeMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:30.744ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_doctest.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.744662**fÓ6îñÐKÓ  ?Õ,&  0HÓ!€qíñÐKÓ„ØfMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:30.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_doctest2.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.791os**g‚ªòñÐKÓ  ?Õ,&  0HÓ!€Ó6îñÐKÓ„ØgMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:30.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_doctest3.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.791\t**h­ÞøñÐKÓ  ?Õ,&  0HÓ!€‚ªòñÐKÓ„ØhMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:30.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_doctest4.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.806P**Xi|èøñÐKÓ  ?Õ,&  0H!!€­ÞøñÐKÓ„ØiMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.838ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\tokenize_tests-latin1-coding-cookie-and-utf8-bom-sig.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.838nalX**XjoXûñÐKÓ  ?Õ,&  0H#!€|èøñÐKÓ„ØjMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\tokenize_tests-no-coding-cookie-and-utf8-bom-sig-only.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.853SyX**Xk^]ûñÐKÓ  ?Õ,&  0H#!€oXûñÐKÓ„ØkMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.884ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\tokenize_tests-utf8-coding-cookie-and-no-utf8-bom-sig.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.869iûX**PlÇDýñÐKÓ  ?Õ,&  0H!€^]ûñÐKÓ„ØlMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P..2017-10-23 07:31:30.884ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\tokenize_tests-utf8-coding-cookie-and-utf8-bom-sig.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.884fP**ømãIýñÐKÓ  ?Õ,&  0HÅ!€ÇDýñÐKÓ„ØmMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¨..2017-10-23 07:31:30.900ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\zipdir.zip.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.900ø**n ¹òÐKÓ  ?Õ,&  0HÙ!€ãIýñÐKÓ„ØnMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:30.900ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\zip_cp437_header.zip.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.900320**ovÁòÐKÓ  ?Õ,&  0Hå!€ ¹òÐKÓ„ØoMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:30.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\big5-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.931L**pxÅòÐKÓ  ?Õ,&  0HÛ!€vÁòÐKÓ„ØpMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\big5.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.931qx**(q"ÉòÐKÓ  ?Õ,&  0Hï!€xÅòÐKÓ„ØqMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:31:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\big5hkscs-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.947tana(**rúÌòÐKÓ  ?Õ,&  0Hå!€"ÉòÐKÓ„ØrMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\big5hkscs.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.947o** s7ÐòÐKÓ  ?Õ,&  0Hç!€úÌòÐKÓ„ØsMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÊ..2017-10-23 07:31:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\cp949-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.947smon **t2 òÐKÓ  ?Õ,&  0HÝ!€7ÐòÐKÓ„ØtMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:30.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\cp949.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.947** uçó òÐKÓ  ?Õ,&  0Hë!€2 òÐKÓ„ØuMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÎ..2017-10-23 07:31:30.979ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\euc_jisx0213.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:30.979 0 **vÐBòÐKÓ  ?Õ,&  0Hß!€çó òÐKÓ„ØvMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:31.010ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\euc_jp.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.010-23 ** w{òÐKÓ  ?Õ,&  0Hé!€ÐBòÐKÓ„ØwMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÌ..2017-10-23 07:31:31.010ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\euc_kr-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.010Y C:\too  ?  ?Õ,&  0H€{òÐKÓ„ØxMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P:120172017-10-23 07:31:31.010ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeKÓElfChnkxÅxÅ€ÈúþºøŽõmPKóè8=Î÷²›f?øm©MFº&+Í+ðé**˜ x¨ÇòÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H±!€{òÐKÓ„ØxMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .PÂ..2017-10-23 07:31:31.010ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\euc_kr.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.010¡«4ñ˜ **y£öòÐKÓ  ?Õ,&  0Há!€¨ÇòÐKÓ„ØyMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:31.026ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\gb18030.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.026** z+ûòÐKÓ  ?Õ,&  0Hé!€£öòÐKÓ„ØzMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÌ..2017-10-23 07:31:31.026ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\gb2312-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.026 **{ÿòÐKÓ  ?Õ,&  0Hß!€+ûòÐKÓ„Ø{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:31.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\gb2312.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.026Ç!**|gòÐKÓ  ?Õ,&  0HÙ!€ÿòÐKÓ„Ø|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:31.057ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\gbk.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.041€ ¿7ñ**}ñòÐKÓ  ?Õ,&  0Há!€gòÐKÓ„Ø}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:31.057ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\hz-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.057icr**~/ïòÐKÓ  ?Õ,&  0H×!€ñòÐKÓ„Ø~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pº..2017-10-23 07:31:31.057ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\hz.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.057ndow** üòòÐKÓ  ?Õ,&  0Hç!€/ïòÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÊ..2017-10-23 07:31:31.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\iso2022_jp.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.088¿Lõiû **(€ÖõòÐKÓ  ?Õ,&  0Hñ!€üòòÐKÓ„Ø€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÔ..2017-10-23 07:31:31.103ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\iso2022_kr-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.088mon(** ¢øòÐKÓ  ?Õ,&  0Hç!€ÖõòÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÊ..2017-10-23 07:31:31.103ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\iso2022_kr.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.103 t ** ‚P !òÐKÓ  ?Õ,&  0Hç!€¢øòÐKÓ„Ø‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÊ..2017-10-23 07:31:31.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\johab-utf8.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.103P **ƒÎŽ%òÐKÓ  ?Õ,&  0HÝ!€P !òÐKӄ؃Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:31.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\johab.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.119-**„W”%òÐKÓ  ?Õ,&  0Hå!€ÎŽ%òÐKÓ„Ø„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.135ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\shift_jis.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.1356**(…Ø%òÐKÓ  ?Õ,&  0Hï!€W”%òÐKÓ„Ø…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:31:31.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\cjkencodings\shift_jisx0213.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.151\too(**†_œ%òÐKÓ  ?Õ,&  0HÛ!€Ã˜%òÐKӄ؆Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:31.151ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\imghdrdata\python.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.151e\**‡$7òÐKÓ  ?Õ,&  0HÛ!€_œ%òÐKӄ؇Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:31.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\imghdrdata\python.jpg.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.166xe**ˆ±Ô9òÐKÓ  ?Õ,&  0HÛ!€$7òÐKӄ؈Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:31.275ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\imghdrdata\python.png.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.275NW**‰÷ãVòÐKÓ  ?Õ,&  0HÛ!€±Ô9òÐKӄ؉Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:31.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\sndhdrdata\sndhdr.wav.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.291pD**Šž¶WòÐKÓ  ?Õ,&  0Hã!€÷ãVòÐKÓ„ØŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:31.479ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_asyncio\ssl_cert.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.479O\**‹+îeòÐKÓ  ?Õ,&  0Há!€ž¶WòÐKÓ„Ø‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:31.494ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_asyncio\ssl_key.pem.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.494oca**ŒžòeòÐKÓ  ?Õ,&  0Hå!€+îeòÐKÓ„ØŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.572ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_01.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.572r**$ŒmòÐKÓ  ?Õ,&  0Hå!€žòeòÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.588ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_03.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.572a**Žá nòÐKÓ  ?Õ,&  0Hå!€$ŒmòÐKÓ„ØŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.634ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_04.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.634a**9EnòÐKÓ  ?Õ,&  0Hå!€á nòÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.634ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_05.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.634P**,æsòÐKÓ  ?Õ,&  0Hå!€9EnòÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.634ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_08.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.634o**‘ÏÛwòÐKÓ  ?Õ,&  0Hå!€,æsòÐKÓ„Ø‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.681ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_09.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.666n**’ÔßwòÐKÓ  ?Õ,&  0Hå!€ÏÛwòÐKÓ„Ø’Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_10.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.6973**“JãwòÐKÓ  ?Õ,&  0Hå!€ÔßwòÐKÓ„Ø“Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_11.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.697i**”„€zòÐKÓ  ?Õ,&  0Hå!€JãwòÐKÓ„Ø”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.697ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_12.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.697k** •ÃËzòÐKÓ  ?Õ,&  0Hç!€„€zòÐKÓ„Ø•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÊ..2017-10-23 07:31:31.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_12a.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.713:31: **–IÊòÐKÓ  ?Õ,&  0Hå!€ÃËzòÐKÓ„Ø–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_14.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.713e**—ÊòÐKÓ  ?Õ,&  0Hå!€IÊòÐKÓ„Ø—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_17.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.760w**˜ÖçŠòÐKÓ  ?Õ,&  0Hå!€ÃŠòÐKӄؘMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_18.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.822**™0ŒòÐKÓ  ?Õ,&  0Hå!€ÖçŠòÐKÓ„Ø™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_19.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.822**šÎ3òÐKÓ  ?Õ,&  0Hå!€0ŒòÐKÓ„ØšMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.822ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_20.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.8222**›F9òÐKÓ  ?Õ,&  0Hå!€Î3òÐKÓ„Ø›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_21.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.8530**œxAòÐKÓ  ?Õ,&  0Hå!€F9òÐKÓ„ØœMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_23.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.853N**èTòÐKÓ  ?Õ,&  0Hå!€xAòÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_24.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.853\**žÙ”òÐKÓ  ?Õ,&  0Hå!€èTòÐKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.853ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_27.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.853i**Ÿ혗òÐKÓ  ?Õ,&  0Hå!€Ù”òÐKÓ„ØŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.885ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_28.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.885a** Ð?˜òÐKÓ  ?Õ,&  0Hå!€í˜—òÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.901ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_29.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.901e**¡5ΘòÐKÓ  ?Õ,&  0Hå!€Ð?˜òÐKÓ„Ø¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.916ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_30.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.916-**¢JšòÐKÓ  ?Õ,&  0Hå!€5ΘòÐKÓ„Ø¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.916ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_31.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.9167**£ûΛòÐKÓ  ?Õ,&  0Hå!€JšòÐKÓ„Ø£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_32.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.932**¤sã›òÐKÓ  ?Õ,&  0Hå!€ûΛòÐKӄؤMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_33.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.932r**¥Ië›òÐKÓ  ?Õ,&  0Hå!€sã›òÐKÓ„Ø¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_34.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.932**¦]ŸòÐKÓ  ?Õ,&  0Hå!€Ië›òÐKӄئMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.932ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_35.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.932**§ªHŸòÐKÓ  ?Õ,&  0Hå!€]ŸòÐKӄاMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_36.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.947**¨3MŸòÐKÓ  ?Õ,&  0Hå!€ªHŸòÐKӄبMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.947ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_37.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.947:**©,PŸòÐKÓ  ?Õ,&  0Hå!€3MŸòÐKÓ„Ø©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_40.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.9631**ª-×¢òÐKÓ  ?Õ,&  0Hå!€,PŸòÐKӄتMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_41.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.963d**«Fé¢òÐKÓ  ?Õ,&  0Hå!€-×¢òÐKÓ„Ø«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_42.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.963\**¬_n¥òÐKÓ  ?Õ,&  0Hå!€Fé¢òÐKӄجMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.978ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_44.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.978n**­Wê¦òÐKÓ  ?Õ,&  0Hå!€_n¥òÐKÓ„Ø­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:31.994ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_45.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:31.978\**®(ˬòÐKÓ  ?Õ,&  0Hå!€Wê¦òÐKÓ„Ø®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÈ..2017-10-23 07:31:32.010ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\msg_46.txt.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.010P**(¯\b°òÐKÓ  ?Õ,&  0Hï!€(ˬòÐKӄدMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÒ..2017-10-23 07:31:32.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_email\data\PyBanner048.gif.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.041b\te(**P°Ž´òÐKÓ  ?Õ,&  0H!€\b°òÐKÓ„Ø°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pú..2017-10-23 07:31:32.072ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_importlib\namespace_pkgs\missing_directory.zip.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.072NCRYP**H±–£´òÐKÓ  ?Õ,&  0H!€Ž´òÐKӄرMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pö..2017-10-23 07:31:32.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_importlib\namespace_pkgs\nested_portion1.zip.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.0883 H**P²ÿÃòÐKÓ  ?Õ,&  0H!€–£´òÐKӄزMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.Pü..2017-10-23 07:31:32.103ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\test\test_importlib\namespace_pkgs\top_level_portion1.zip.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.103?Õ,&P**³ž‹ÃòÐKÓ  ?Õ,&  0Hß!€ÿÃòÐKӄسMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:32.198ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\venv\scripts\nt\activate.bat.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.167**´¢¥ÒòÐKÓ  ?Õ,&  0Hã!€ž‹ÃòÐKÓ„Ø´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÆ..2017-10-23 07:31:32.198ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Lib\venv\scripts\nt\deactivate.bat.WNCRYT2017-06-17 11:57:18.0002017-10-23 07:31:32.198**øµ)ÛÕòÐKÓ  ?Õ,&  0HÃ!€¢¥ÒòÐKӄصMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¦..2017-10-23 07:31:32.291ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tclooConfig.sh.WNCRYT2017-06-16 12:32:50.0002017-10-23 07:31:32.291ø**¶è©ØòÐKÓ  ?Õ,&  0HË!€)ÛÕòÐKӄضMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:32.322ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\af.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.322**¸·J1ÞòÐKÓ  ?Õ,&  0Hƒ!€è©ØòÐKÓ„Ø·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+ÍÀ5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .@æ@, Z..2017-10-23 07:31:32.339ŸR ÔšíYn·•´C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\System32\winevt\Logs\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=967A4A8C5AE701AB8EA069F45764EB09AF4A89D2ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEŸR¸**¸@6ÞòÐKÓ  ?Õ,&  0HÑ!€J1ÞòÐKӄظMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.353ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\af_za.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.353é**¹³=ÞòÐKÓ  ?Õ,&  0HÑ!€@6ÞòÐKӄعMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.353ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ar_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.353icr**ºÍ8äòÐKÓ  ?Õ,&  0HÑ!€³=ÞòÐKӄغMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.369ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\bn_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.369**»¼èòÐKÓ  ?Õ,&  0HÑ!€Í8äòÐKÓ„Ø»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.400ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\de_at.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.400sof**¼öäèòÐKÓ  ?Õ,&  0HÑ!€¼èòÐKӄؼMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.416ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_au.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.416icr**½žîèòÐKÓ  ?Õ,&  0HÑ!€öäèòÐKӄؽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_be.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.432**¾MóèòÐKÓ  ?Õ,&  0HÑ!€žîèòÐKӄؾMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_bw.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.432q**¿çS3óÐKÓ  ?Õ,&  0HÑ!€MóèòÐKÓ„Ø¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_ca.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.432!**À—‹3óÐKÓ  ?Õ,&  0HÑ!€çS3óÐKÓ„ØÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_gb.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.9310**ÀÁÈ7óÐKÓ  ?Õ,&  0H‡!€—‹3óÐKÓ„ØÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å+ð¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .@2017-10-23 07:31:32.931ŸR ÔšíYn·•´C:\Windows\System32\eventvwr.exe**À**Âåî:óÐKÓ  ?Õ,&  0HÑ!€È7óÐKÓ„ØÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_hk.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.9317**ûø:óÐKÓ  ?Õ,&  0HÑ!€åî:óÐKÓ„ØÃMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.963ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_ie.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.96307:**ħ&HóÐKÓ  ?Õ,&  0HÑ!€»ø:óÐKÓ„ØÄMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:32.979ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:32.97910-**ÈÅhMOóÐKÓ  ?Õ,&  0H“!€§&HóÐKÓ„ØÅMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñx+Í.>J(& Z>T2017-10-23 07:31:33.073ŸR ÕšíY𹕤C:\Windows\System32\consent.execonsent.exe 1012 476 000001F7C02E1240C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsÈ{òÐKÓ„Øx  ?Õ,&  0Hso€hMOóÐKÓ„ØÆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüés\tasksche\tasksche.exeKÓElfChnkÆÆ€ýØÿ½Ñˆ±2Iò)óè8=Î÷²›f?øm©MFº&é**ˆ Æ"ROóÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H£!€hMOóÐKÓ„ØÆMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .P´..2017-10-23 07:31:33.104ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_nz.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.10431.ˆ **Ç£VOóÐKÓ  ?Õ,&  0HÑ!€"ROóÐKÓ„ØÇMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.104ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_ph.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.10423 **ÈõYOóÐKÓ  ?Õ,&  0HÑ!€£VOóÐKÓ„ØÈMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.104ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_sg.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.104.00**ÉjüPóÐKÓ  ?Õ,&  0HÑ!€õYOóÐKÓ„ØÉMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.104ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_za.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.1041:5**Ê·BQóÐKÓ  ?Õ,&  0HÑ!€jüPóÐKÓ„ØÊMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\en_zw.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.119-17**Ë©ÆVóÐKÓ  ?Õ,&  0HÑ!€·BQóÐKÓ„ØËMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.119ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_ar.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.119T20**Ì‹ÌVóÐKÓ  ?Õ,&  0HÑ!€©ÆVóÐKÓ„ØÌMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.150ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_bo.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.150CRY**Í&ÐVóÐKÓ  ?Õ,&  0HÑ!€‹ÌVóÐKÓ„ØÍMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_cl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.16622_**ÎçWóÐKÓ  ?Õ,&  0HÑ!€&ÐVóÐKÓ„ØÎMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_co.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.166odi**ÏžNfóÐKÓ  ?Õ,&  0HÑ!€çWóÐKÓ„ØÏMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.166ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_cr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.166\Li**ÐRfóÐKÓ  ?Õ,&  0HÑ!€žNfóÐKÓ„ØÐMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.259ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_do.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.259\Py**ÑpXfóÐKÓ  ?Õ,&  0HÑ!€RfóÐKÓ„ØÑMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.259ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_ec.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.259gra**Òq[fóÐKÓ  ?Õ,&  0HÑ!€pXfóÐKÓ„ØÒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.259ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_gt.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.259\Pr**Ó kóÐKÓ  ?Õ,&  0HÑ!€q[fóÐKÓ„ØÓMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.259ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_hn.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.259ta\**Ô`¦kóÐKÓ  ?Õ,&  0HÑ!€ kóÐKÓ„ØÔMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.276ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_mx.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.276ers**Õ:÷kóÐKÓ  ?Õ,&  0HÑ!€`¦kóÐKÓ„ØÕMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.276ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_ni.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.276:\U**Ö ükóÐKÓ  ?Õ,&  0HÑ!€:÷kóÐKÓ„ØÖMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.276ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_pa.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.276exe**×–ÿkóÐKÓ  ?Õ,&  0HÑ!€ ükóÐKÓ„Ø×Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.276ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_pe.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.276che**ØßlóÐKÓ  ?Õ,&  0HÑ!€–ÿkóÐKÓ„ØØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.307ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_pr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.307ask**ÙV´uóÐKÓ  ?Õ,&  0HÑ!€ßlóÐKÓ„ØÙMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.307ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_py.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.307sks**ÚÙ¹uóÐKÓ  ?Õ,&  0HÑ!€V´uóÐKÓ„ØÚMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.307ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_sv.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.307too**Û‘ÂuóÐKÓ  ?Õ,&  0HÑ!€Ù¹uóÐKÓ„ØÛMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.307ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_uy.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.307ol-**ܪ…{óÐKÓ  ?Õ,&  0HÑ!€‘ÂuóÐKÓ„ØÜMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.369ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\es_ve.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.338**ÝïŽ{óÐKÓ  ?Õ,&  0HË!€ª…{óÐKÓ„ØÝMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.401ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\eu.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.385.6**Þ=’{óÐKÓ  ?Õ,&  0HÑ!€ïŽ{óÐKÓ„ØÞMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.401ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\eu_es.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.401 07**ßC¡€óÐKÓ  ?Õ,&  0HÑ!€=’{óÐKÓ„ØßMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.401ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fa_ir.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.40117-**à ¥€óÐKÓ  ?Õ,&  0HË!€C¡€óÐKÓ„ØàMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fo.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.432P**áÊ©€óÐKÓ  ?Õ,&  0HÑ!€ ¥€óÐKÓ„ØáMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fo_fo.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.432é**âo¬€óÐKÓ  ?Õ,&  0HÑ!€Ê©€óÐKÓ„ØâMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fr_be.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.432nal**ゃóÐKÓ  ?Õ,&  0HÑ!€o¬€óÐKÓ„ØãMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.432ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fr_ca.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.432Ope**äñôƒóÐKÓ  ?Õ,&  0HÑ!€‚ƒóÐKÓ„ØäMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.447ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\fr_ch.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.447dow**娞šóÐKÓ  ?Õ,&  0HÑ!€ñôƒóÐKÓ„ØåMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ga_ie.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.463sof**æÒQ›óÐKÓ  ?Õ,&  0HË!€¨žšóÐKÓ„ØæMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\gl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.603*Âà**ç‚¢›óÐKÓ  ?Õ,&  0HÑ!€ÒQ›óÐKÓ„ØçMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\gl_es.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.603-Sy**èΦ›óÐKÓ  ?Õ,&  0HÑ!€‚¢›óÐKÓ„ØèMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.603ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\gv_gb.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.603-Wi**é=­óÐKÓ  ?Õ,&  0HÑ!€Î¦›óÐKÓ„ØéMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.619ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\hi_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.619icr**ê?3®óÐKÓ  ?Õ,&  0HË!€=­óÐKÓ„ØêMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\id.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.713**ëé@®óÐKÓ  ?Õ,&  0HÑ!€?3®óÐKÓ„ØëMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\id_id.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.713€xAò**ìCS²óÐKÓ  ?Õ,&  0HÑ!€é@®óÐKÓ„ØìMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.713ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\it_ch.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.713!**í X²óÐKÓ  ?Õ,&  0HË!€CS²óÐKÓ„ØíMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\kl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.760 **îg[²óÐKÓ  ?Õ,&  0HÑ!€ X²óÐKÓ„ØîMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\kl_gl.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.760**ï6^²óÐKÓ  ?Õ,&  0HÓ!€g[²óÐKÓ„ØïMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¶..2017-10-23 07:31:33.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\kok_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.760**ðšç¶óÐKÓ  ?Õ,&  0HÑ!€6^²óÐKÓ„ØðMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.760ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ko_kr.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.760**ñ·óÐKÓ  ?Õ,&  0HË!€šç¶óÐKÓ„ØñMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\kw.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.791Λò**òÑæÀóÐKÓ  ?Õ,&  0HÑ!€·óÐKÓ„ØòMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.791ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\kw_gb.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.791****óØÊóÐKÓ  ?Õ,&  0HÑ!€ÑæÀóÐKÓ„ØóMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.854ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\mr_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.8541.9**ô”ËóÐKÓ  ?Õ,&  0HË!€ØÊóÐKÓ„ØôMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.916ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ms.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.916-2**õßËóÐKÓ  ?Õ,&  0HÑ!€”ËóÐKÓ„ØõMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.916ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ms_my.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.916002**öùäËóÐKÓ  ?Õ,&  0HË!€ßËóÐKÓ„ØöMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:33.916ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\mt.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.916 1**÷WîËóÐKÓ  ?Õ,&  0HÑ!€ùäËóÐKÓ„Ø÷Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\nl_be.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.931017**øßòËóÐKÓ  ?Õ,&  0HÑ!€WîËóÐKÓ„ØøMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\pt_br.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.931.WN**ùB»ÜóÐKÓ  ?Õ,&  0HÑ!€ßòËóÐKÓ„ØùMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:33.931ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ru_ua.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:33.931g_4**úi¾ÜóÐKÓ  ?Õ,&  0HË!€B»ÜóÐKÓ„ØúMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P®..2017-10-23 07:31:34.033ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\sw.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.033ai**û'ÁÜóÐKÓ  ?Õ,&  0HÑ!€i¾ÜóÐKÓ„ØûMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:34.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\ta_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.041t\t**ü‰ÃÜóÐKÓ  ?Õ,&  0HÑ!€'ÁÜóÐKÓ„ØüMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:34.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\te_in.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.041\Li**ý{aäóÐKÓ  ?Õ,&  0HÑ!€‰ÃÜóÐKÓ„ØýMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:34.041ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\zh_cn.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.041hon**þÂðäóÐKÓ  ?Õ,&  0HÑ!€{aäóÐKÓ„ØþMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:34.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\zh_hk.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.088tho**ÿÄåóÐKÓ  ?Õ,&  0HÑ!€ÂðäóÐKÓ„ØÿMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:34.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\zh_sg.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.088oca**ŒQêóÐKÓ  ?Õ,&  0HÑ!€ÄåóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P´..2017-10-23 07:31:34.088ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tcl8.6\msgs\zh_tw.msg.WNCRYT2017-06-16 12:32:48.0002017-10-23 07:31:34.088ask**'©êóÐKÓ  ?Õ,&  0Há!€ŒQêóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:34.134ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\act_fold.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.134ol-**ÃëóÐKÓ  ?Õ,&  0HÙ!€'©êóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:34.134ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\file.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.1340-2**ïóóÐKÓ  ?Õ,&  0HÝ!€ÃëóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÀ..2017-10-23 07:31:34.134ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\folder.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.134-**D¦óóÐKÓ  ?Õ,&  0HÙ!€ïóóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:34.182ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\info.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.182.2**,©óóÐKÓ  ?Õ,&  0HÛ!€D¦óóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¾..2017-10-23 07:31:34.182ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\minus.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.18207**IôóÐKÓ  ?Õ,&  0Há!€,©óóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:34.182ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\minusarm.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.182e **1ÁûóÐKÓ  ?Õ,&  0Há!€IôóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:34.197ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\no_entry.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.197**ZÅûóÐKÓ  ?Õ,&  0Há!€1ÁûóÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:34.228ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\openfold.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.228**** úÈûóÐKÓ  ?Õ,&  0HÙ!€ZÅûóÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:34.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\plus.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.244¹** üLüóÐKÓ  ?Õ,&  0Hß!€úÈûóÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:34.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\plusarm.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.244KÓ** EÍýóÐKÓ  ?Õ,&  0Hß!€üLüóÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:34.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\srcfile.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.244** µÿóÐKÓ  ?Õ,&  0Há!€EÍýóÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÄ..2017-10-23 07:31:34.244ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\textfile.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.244** RL ôÐKÓ  ?Õ,&  0Hß!€µÿóÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÂ..2017-10-23 07:31:34.260ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\bitmaps\warning.gif.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.260**WM ôÐKÓ  ?Õ,&  0HÍ!€RL ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P°..2017-10-23 07:31:34.338ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tix8.4.3\pref\TK.cs.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.338**ôÐKÓ  ?Õ,&  0HÏ!€WM ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P²..2017-10-23 07:31:34.338ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\tcl\tk8.6\msgs\en_gb.msg.WNCRYT2017-06-16 12:32:52.0002017-10-23 07:31:34.338**JOôÐKÓ  ?Õ,&  0HÙ!€ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.P¼..2017-10-23 07:31:34.401ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Local\Programs\Python\Python36-32\Tools\pynche\html40colors.txt.WNCRYT2017-06-17 11:57:20.0002017-10-23 07:31:34.401** NTôÐKÓ  ?Õ,&  0Hé!€JOôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.PÌ..2017-10-23 07:31:34.463ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.WNCRYT2017-09-03 12:53:20.3122017-10-23 07:31:34.4470 **ÀzXôÐKÓ  ?Õ,&  0H!€NTôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db2017-10-23 07:31:34.4632017-10-23 07:31:34.463À**À&†ôÐKÓ  ?Õ,&  0H‹!€zXôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé....2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db2017-10-23 07:31:34.4632017-10-23 07:31:34.463À**ÀÓ‹ôÐKÓ  ?Õ,&  0H‹!€&†ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé....2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db2017-10-23 07:31:34.4632017-10-23 07:31:34.46310À**À~ôÐKÓ  ?Õ,&  0H‹!€Ó‹ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé....2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db2017-10-23 07:31:34.4632017-10-23 07:31:34.463g.À**ÀÜ”ôÐKÓ  ?Õ,&  0H‹!€~ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé....2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871C:À**ÀýšôÐKÓ  ?Õ,&  0H!€Ü”ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..’..2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db2017-10-23 07:31:34.4632017-10-23 07:31:34.463tÀksche\tasksche.exeKÓElfChnkaa€Øú°ü> Sº¢J– óè8=Î÷²›f?øm©MFº&Ó"‹I£**@ *§ôÐKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H_!€ýšôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüétlüâ:IŽ'1¶ÌÔˆºÿÿ®D‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime ..’..2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871:@ **È>·ôÐKÓ  ?Õ,&  0H!€*§ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871\msgÈ**È]ÕôÐKÓ  ?Õ,&  0H!€>·ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871ms\PÈ**ÈZýôÐKÓ  ?Õ,&  0H!€]ÕôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871sersÈ**ÀØ‹'ôÐKÓ  ?Õ,&  0H‹!€ZýôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé....2017-10-23 07:31:34.463ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871stÀ**ÈÇš'ôÐKÓ  ?Õ,&  0H!€Ø‹'ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:34.510ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db2017-09-03 05:37:51.8712017-09-03 05:37:51.8713 07È**ÈîŸ'ôÐKÓ  ?Õ,&  0H!€Çš'ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..”..2017-10-23 07:31:34.510ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871 tÈ**Ø?@0ôÐKÓ  ?Õ,&  0H£!€îŸ'ôÐKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..¨..2017-10-23 07:31:34.510ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871owØ**Ø (+›ôÐKÓ  ?Õ,&  0H¡!€?@0ôÐKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé..¦..2017-10-23 07:31:34.588ŸR S–«Y­{ C:\Windows\Explorer.EXEC:\Users\MNWPRO\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db2017-09-03 05:37:51.8712017-09-03 05:37:51.871monØ**€ !D»÷ôÐKÓ  ?Õ,&  0HM!€(+›ôÐKÓ„Ø!Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ"À5ñxaæâçz|°âÊRÿÿFAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .Tl(& ZJ`2017-10-23 07:31:35.260ŸR ךíYøÒ•¼C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe27_ Global\UsGthrCtrlFltPipeMssGthrPipe27 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=95BEE7F8274B133E9AB524C330ACAE7E69492CFDŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding€ **ø"š$iõÐKÓ  ?Õ,&  0H¿!€D»÷ôÐKÓ„Ø"Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".^,8, ZPV2017-10-23 07:31:35.894ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exe coC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" l\Prø**0#r—ŠõÐKÓ  ?Õ,&  0H÷!€š$iõÐKÓ„Ø#Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>¢(, Z>Z2017-10-23 07:31:36.627ŸR ØšíYÒæ•ØC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch0**ø$Á—õÐKÓ  ?Õ,&  0H¿!€r—ŠõÐKÓ„Ø$Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".6T8, ZPV2017-10-23 07:31:36.854ŸR ØšíYð&–ÀC:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vsC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=574F512A44097275658F9C304EF0B74029E9EA46ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" üéø**0%>LöÐKÓ  ?Õ,&  0H÷!€Á—õÐKÓ„Ø%Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".P„(& ZJ`2017-10-23 07:31:36.914ŸR ØšíYO)–dC:\Windows\System32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 688 692 700 8192 696 C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççMediumSHA1=E650ECE4807C47CE70E4773B298CE789D3885072ŸR j–«YsòÐC:\Windows\System32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding2\tc0**(&SK\öÐKÓ  ?Õ,&  0Hñ!€>LöÐKÓ„Ø&Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>¢(& Z>Z2017-10-23 07:31:38.133ŸR ÚšíY5–À C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch(**ð'~ItöÐKÓ  ?Õ,&  0H¹!€SK\öÐKÓ„Ø'Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".^&8, ZPV2017-10-23 07:31:38.238ŸR ÚšíY¶7–pC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 17-ð**Ð( VïöÐKÓ  ?Õ,&  0H!€~ItöÐKÓ„Ø(Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".628, ZPV2017-10-23 07:31:38.393ŸR ÚšíY;–àC:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nabdrhfcwdww555" /t REG_SZ /d "\"C:\tool-test\tools\tasksche\tasksche.exe\"" /fC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=574F512A44097275658F9C304EF0B74029E9EA46ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" Ð**¸)Ÿ ðöÐKÓ  ?Õ,&  0H…!€ VïöÐKÓ„Ø)Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-10-23 07:31:39.197ŸR ÕšíY𹕤C:\Windows\System32\consent.exe0¸**(*ˆ„ ÷ÐKÓ  ?Õ,&  0Hñ!€Ÿ ðöÐKÓ„Ø*Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>¢(& Z>Z2017-10-23 07:31:39.207ŸR ÛšíYFB–@C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchsof(**¸+÷— ÷ÐKÓ  ?Õ,&  0H!€ˆ„ ÷ÐKÓ„Ø+Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>n, Z622017-10-23 07:31:39.507ŸR ÛšíY‚F–C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ÚšíY;–àC:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nabdrhfcwdww555" /t REG_SZ /d "\"C:\tool-test\tools\tasksche\tasksche.exe\"" /f17-0¸**Ø,Ý}(÷ÐKÓ  ?Õ,&  0H¡!€÷— ÷ÐKÓ„Ø,Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>n, Z6T2017-10-23 07:31:39.507ŸR ÛšíY‰E–TC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ØšíYð&–ÀC:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs!Ø**0-o€K÷ÐKÓ  ?Õ,&  0Hý!€Ý}(÷ÐKÓ„Ø-Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".@æ(,Z..2017-10-23 07:31:39.576ŸR ÛšíYêH–TC:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=967A4A8C5AE701AB8EA069F45764EB09AF4A89D2ŸR S–«Y­{ C:\Windows\explorer.exeC:\Windows\Explorer.EXEt0**Ø.DõK÷ÐKÓ  ?Õ,&  0H¥!€o€K÷ÐKÓ„Ø.Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".^.8, Z6T2017-10-23 07:31:39.806ŸR ÛšíYWQ–ÈC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exe vsC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR ØšíYð&–ÀC:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs6Ø**Ð/@ËM÷ÐKÓ  ?Õ,&  0H›!€DõK÷ÐKÓ„Ø/Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.62017-10-23 07:31:39.806ŸR ØšíYð&–ÀC:\Windows\SysWOW64\cmd.exeÐ**Ø0:ïT÷ÐKÓ  ?Õ,&  0H£!€@ËM÷ÐKÓ„Ø0Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:31:39.822ŸR ÛšíY‰E–TC:\Windows\System32\conhost.exeØ**€1í øÐKÓ  ?Õ,&  0HK!€:ïT÷ÐKÓ„Ø1Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".68, Z622017-10-23 07:31:39.849ŸR ÛšíYñS–œC:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nabdrhfcwdww555" /t REG_SZ /d "\"C:\tool-test\tools\tasksche\tasksche.exe\"" /fC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=AD39455D3485B8CD9882A5B2315A9C1E9ED6886AŸR ÚšíY;–àC:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nabdrhfcwdww555" /t REG_SZ /d "\"C:\tool-test\tools\tasksche\tasksche.exe\"" /fga€**Ð2w øÐKÓ  ?Õ,&  0H›!€í øÐKÓ„Ø2Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.62017-10-23 07:31:41.057ŸR ÛšíYñS–œC:\Windows\SysWOW64\reg.exePÐ**Ð3lö øÐKÓ  ?Õ,&  0H›!€w øÐKÓ„Ø3Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.62017-10-23 07:31:41.057ŸR ÚšíY;–àC:\Windows\SysWOW64\cmd.exeÐ**Ø4v׳øÐKÓ  ?Õ,&  0H£!€lö øÐKÓ„Ø4Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:31:41.072ŸR ÛšíY‚F–C:\Windows\System32\conhost.exe\UØ**È5KBÇøÐKÓ  ?Õ,&  0H•!€v׳øÐKÓ„Ø5Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".L8, ZPV2017-10-23 07:31:42.058ŸR ÞšíY2d–ÌC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 6È**06âõùÐKÓ  ?Õ,&  0H÷!€KBÇøÐKÓ„Ø6Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".6"(,Z@ä2017-10-23 07:31:42.247ŸR ÞšíY‖( C:\Windows\System32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx"C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=CF7AD4F94EDA214BD5283CB8AD57DB52D2D558FCŸR ÛšíYêH–TC:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" /l:"C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"che\0**Ø7&hdùÐKÓ  ?Õ,&  0H¥!€âõùÐKÓ„Ø7Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.@2017-10-23 07:31:42.760ŸR ÛšíYêH–TC:\Windows\System32\eventvwr.exerØ**Ø8×ÓmùÐKÓ  ?Õ,&  0H£!€&hdùÐKÓ„Ø8Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:31:43.323ŸR ÚšíY5–À C:\Windows\System32\dllhost.exeidØ**è9ŸëîùÐKÓ  ?Õ,&  0H±!€×ÓmùÐKÓ„Ø9Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.L2017-10-23 07:31:43.385ŸR ÞšíY2d–ÌC:\tool-test\tools\tasksche\taskdl.exe17-è**Ø:Ž¥­úÐKÓ  ?Õ,&  0H£!€ŸëîùÐKÓ„Ø:Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:31:44.229ŸR ÛšíYFB–@C:\Windows\System32\dllhost.exeØ**Ø;qÒˆýÐKÓ  ?Õ,&  0H£!€Ž¥­úÐKÓ„Ø;Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:31:45.478ŸR ØšíYÒæ•ØC:\Windows\System32\dllhost.exeO\Ø**È<çPýÐKÓ  ?Õ,&  0H•!€qÒˆýÐKÓ„Ø<Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^j..2017-10-23 07:31:50.213ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\libeay32.dll1999-12-31 16:00:00.0002017-10-23 07:31:49.619\È**Ø=•õ–ýÐKÓ  ?Õ,&  0H¡!€çPýÐKÓ„Ø=Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^v..2017-10-23 07:31:50.306ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\libevent-2-0-5.dll1999-12-31 16:00:00.0002017-10-23 07:31:50.213:\tØ**à>_4ùýÐKÓ  ?Õ,&  0H«!€•õ–ýÐKÓ„Ø>Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^€..2017-10-23 07:31:50.322ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\libevent_core-2-0-5.dll1999-12-31 16:00:00.0002017-10-23 07:31:50.3061:à**à?r?5þÐKÓ  ?Õ,&  0H­!€_4ùýÐKÓ„Ø?Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^‚..2017-10-23 07:31:50.963ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\libevent_extra-2-0-5.dll1999-12-31 16:00:00.0002017-10-23 07:31:50.369.à**Ø@ÕšDþÐKÓ  ?Õ,&  0H£!€r?5þÐKÓ„Ø@Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^x..2017-10-23 07:31:51.400ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\libgcc_s_sjlj-1.dll1999-12-31 16:00:00.0002017-10-23 07:31:50.963alØ**ÈAÒEþÐKÓ  ?Õ,&  0H•!€ÕšDþÐKÓ„ØAMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^j..2017-10-23 07:31:51.432ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\libssp-0.dll1999-12-31 16:00:00.0002017-10-23 07:31:51.400rÈ**ÈB ºÄþÐKÓ  ?Õ,&  0H•!€ÒEþÐKÓ„ØBMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^j..2017-10-23 07:31:51.478ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\ssleay32.dll1999-12-31 16:00:00.0002017-10-23 07:31:51.432rÈ**ÀC@ŒæþÐKÓ  ?Õ,&  0H‹!€ ºÄþÐKÓ„ØCMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^`..2017-10-23 07:31:52.338ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\tor.exe1999-12-31 16:00:00.0002017-10-23 07:31:51.494HÀ**ÈDL¬;ÿÐKÓ  ?Õ,&  0H!€@ŒæþÐKÓ„ØDMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlüé.^d..2017-10-23 07:31:52.541ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeC:\tool-test\tools\tasksche\TaskData\Tor\zlib1.dll1999-12-31 16:00:00.0002017-10-23 07:31:52.384È**èELKÿÐKÓ  ?Õ,&  0Hµ!€L¬;ÿÐKÓ„ØEMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".j28, Z^,2017-10-23 07:31:53.113ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=53912D33BEC3375153B7E4E68B78D66DAB62671AŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exe conè**èFx'ïÑKÓ  ?Õ,&  0H³!€LKÿÐKÓ„ØFMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>n, Zj22017-10-23 07:31:53.216ŸR éšíYZî–øC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe\Uè**ˆGÑohÑKÓ  ?Õ,&  0HQ!€x'ïÑKÓ„TGMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#O£écß#O*ú6†öE6^OÊ^”ÿÿˆAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .j,   2017-10-23 07:31:59.569ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEíÇ127.0.0.1DESKTOP-DF4ULDEìÇ\tcˆ**ØH¶™ÑKÓ  ?Õ,&  0H¥!€ÑohÑKÓ„THMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#O£.j,   2017-10-23 07:31:59.569ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEìÇ127.0.0.1DESKTOP-DF4ULDEíÇoØ**ÈI-kÑKÓ  ?Õ,&  0H“!€¶™ÑKÓ„ØIMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>J(& Z>T2017-10-23 07:32:02.125ŸR òšíYˆJ—`C:\Windows\System32\consent.execonsent.exe 1012 686 000001F7C35B1010C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=B02648A975909E63D93E3531C1250F89BA676F9FŸR –«Y³ûôC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcsLiÈ**0J1¼ ÑKÓ  ?Õ,&  0H÷!€-kÑKÓ„ØJMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>¢(, Z>Z2017-10-23 07:32:05.146ŸR õšíYVÁ—P C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchrati0**ØK¹€ø ÑKÓ  ?Õ,&  0H£!€1¼ ÑKÓ„ØKMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:32:10.739ŸR õšíYVÁ—P C:\Windows\System32\dllhost.exe88Ø**ðL€(® ÑKÓ  ?Õ,&  0H¹!€¹€ø ÑKÓ„ØLMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".^&8, ZPV2017-10-23 07:32:11.138ŸR ûšíY·U˜0C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" pW*Âàð**ÈMCÖ` ÑKÓ  ?Õ,&  0H•!€€(® ÑKÓ„ØMMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".L8, ZPV2017-10-23 07:32:13.975ŸR ýšíY2X˜8C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" È**èNV\» ÑKÓ  ?Õ,&  0H±!€CÖ` ÑKÓ„ØNMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.L2017-10-23 07:32:15.176ŸR ýšíY2X˜8C:\tool-test\tools\tasksche\taskdl.exeHè**øO×½ÑKÓ  ?Õ,&  0HÃ!€V\» ÑKÓ„ØOMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.^2017-10-23 07:32:15.770ŸR ûšíY·U˜0C:\tool-test\tools\tasksche\@WanaDecryptor@.exetcø**˜P¸Ô1ÑKÓ  ?Õ,&  0Ha!€×½ÑKÓ„ØPMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".x¨(& Zbf2017-10-23 07:32:20.804ŸR ›íYŸš™C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"pW*Âà˜**Q`‹jÑKÓ  ?Õ,&  0HÝ!€¸Ô1ÑKÓ„ØQMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.x2017-10-23 07:32:21.567ŸR ›íYŸš™C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe **(R8ëïÑKÓ  ?Õ,&  0Hñ!€`‹jÑKÓ„ØRMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>¢(& Z>Z2017-10-23 07:32:26.986ŸR ›íYÜEšüC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchsof(**ØSÂËñÑKÓ  ?Õ,&  0H£!€8ëïÑKÓ„ØSMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:32:27.848ŸR òšíYˆJ—`C:\Windows\System32\consent.exe2:Ø**(TPeÑKÓ  ?Õ,&  0Hñ!€ÂËñÑKÓ„ØTMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>¢(& Z>Z2017-10-23 07:32:27.871ŸR ›íYRš@ C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchdow(**@UäáGÑKÓ  ?Õ,&  0H!€PeÑKÓ„ØUMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".6Ê(,Z^.2017-10-23 07:32:27.967ŸR ›íYUš\C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=574F512A44097275658F9C304EF0B74029E9EA46ŸR ÛšíYWQ–ÈC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exe vs-23 @**øVýôËÑKÓ  ?Õ,&  0HÃ!€äáGÑKÓ„ØVMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.^2017-10-23 07:32:28.427ŸR ÛšíYWQ–ÈC:\tool-test\tools\tasksche\@WanaDecryptor@.exee\ø**ÐW_ùËÑKÓ  ?Õ,&  0H™!€ýôËÑKÓ„TWMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#O£.^,   2017-10-23 07:32:28.178ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEöÇ127.0.0.1DESKTOP-DF4ULDEZ#4ŸRÐ**ØXÒûËÑKÓ  ?Õ,&  0H¥!€_ùËÑKÓ„TXMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#O£.j,   2017-10-23 07:32:28.178ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEöÇPØ**ÐYyšÌÑKÓ  ?Õ,&  0H™!€ÒûËÑKÓ„TYMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#O£.^,   2017-10-23 07:32:28.205ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDE÷Ç127.0.0.1DESKTOP-DF4ULDEZ#dowÐ**ØZ³ÆõÑKÓ  ?Õ,&  0H¥!€yšÌÑKÓ„TZMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#O£.j,   2017-10-23 07:32:28.205ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDE÷ÇwØ**H[1w>ÑKÓ  ?Õ,&  0H!€³ÆõÑKÓ„Ø[Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".>n,Z6Ê2017-10-23 07:32:29.576ŸR ›íYfš¸C:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=3D8E3250CF20BDD8BF68498B7AEE448EF95BE41FŸR ›íYUš\C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet*H**8\– ÑKÓ  ?Õ,&  0H!€1w>ÑKÓ„Ø\Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".@J(,Z6Ê2017-10-23 07:32:30.041ŸR ›íYåušÀC:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=6CB1805CC1ACD54478E0FBCAE940026CD262FE00ŸR ›íYUš\C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet\8** ]¿9”ÑKÓ  ?Õ,&  0Hm!€– ÑKÓ„Ø]Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".::(& Z@@2017-10-23 07:32:31.501ŸR ›íYX’šØC:\Windows\System32\VSSVC.exeC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=19625800A6731E94168EF42AFB9166347D25B699ŸR –«YjtC:\Windows\System32\services.exeC:\Windows\system32\services.exe: **Ø^©Õ±ÑKÓ  ?Õ,&  0H£!€¿9”ÑKÓ„Ø^Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:32:32.286ŸR ›íYÜEšüC:\Windows\System32\dllhost.exer.Ø**Ø_­CìÑKÓ  ?Õ,&  0H¥!€©Õ±ÑKÓ„Ø_Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.@2017-10-23 07:32:32.473ŸR ›íYåušÀC:\Windows\SysWOW64\vssadmin.exeàØ** `öÕòÑKÓ  ?Õ,&  0Hí!€­CìÑKÓ„Ø`Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".B0(,Z6Ê2017-10-23 07:32:32.860ŸR ›íY𳚠C:\Windows\SysWOW64\wbem\WMIC.exewmic shadowcopy delete C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=65EA9CED61EC05D1ECAB0490E1A362007EB5BA02ŸR ›íYUš\C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet **ØaåyÑKÓ  ?Õ,&  0H£!€öÕòÑKÓ„ØaMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å‹I.>2017-10-23 07:32:32.911ŸR ›íYRš@ C:\Windows\System32\dllhost.exe96Øb2017-09-03   ?Õ,&  0H€åyÑKÓ„ØbMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxÓ".Jr(8 ws-Sysmon/2017-10-23 07:32:35.445ŸR ›íYÞšpC:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystem3 07:31:34.463tÀksche\tasksche.exeKÓElfChnkb¶b¶€8üÿs3ÅÚе“øóè8=Î÷²›f?øm©MFº&é“ ?**X bþñ\ÑKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0Hw!€åyÑKÓ„ØbMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .Jr(8 Z>Z2017-10-23 07:32:35.445ŸR ›íYÞšpC:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICEŸR –«Y ääSystemSHA1=0E8D79BB8B35206CE8A71F7BB0751C1F891AC9D4ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchX **Àc|úwÑKÓ  ?Õ,&  0H‰!€þñ\ÑKÓ„ØcMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .B2017-10-23 07:32:36.957ŸR ›íY𳚠C:\Windows\SysWOW64\wbem\WMIC.exeÀ**ÐdÞxÑKÓ  ?Õ,&  0H›!€|úwÑKÓ„ØdMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.62017-10-23 07:32:37.130ŸR ›íYUš\C:\Windows\SysWOW64\cmd.exesoÐ**ØešeˆÑKÓ  ?Õ,&  0H£!€ÞxÑKÓ„ØeMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.>2017-10-23 07:32:37.130ŸR ›íYfš¸C:\Windows\System32\conhost.exetiØ**ðf{»HÑKÓ  ?Õ,&  0H¹!€šeˆÑKÓ„ØfMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:32:42.092ŸR ›íYuÑ›TC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" _wið**Èg»zÑKÓ  ?Õ,&  0H•!€{»HÑKÓ„ØgMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:32:45.217ŸR ›íYj÷›ìC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" È**èh½’ÑKÓ  ?Õ,&  0H±!€»zÑKÓ„ØhMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:32:45.535ŸR ›íYj÷›ìC:\tool-test\tools\tasksche\taskdl.exedb2è**øi%4¦ ÑKÓ  ?Õ,&  0HÃ!€½’ÑKÓ„ØiMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:32:45.660ŸR ›íYuÑ›TC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**˜j4±!ÑKÓ  ?Õ,&  0Ha!€%4¦ ÑKÓ„ØjMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-10-23 07:32:49.187ŸR !›íY6òœøC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"Aÿÿ3˜**k…rl.ÑKÓ  ?Õ,&  0HÝ!€4±!ÑKÓ„ØkMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.x2017-10-23 07:32:49.801ŸR !›íY6òœøC:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exeo**ðlÕdì.ÑKÓ  ?Õ,&  0H¹!€…rl.ÑKÓ„ØlMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:33:12.291ŸR 8›íYåöŸØC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ndeð**øm¨»`0ÑKÓ  ?Õ,&  0HÃ!€Õdì.ÑKÓ„ØmMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:33:13.129ŸR 8›íYåöŸØC:\tool-test\tools\tasksche\@WanaDecryptor@.exeooø**Ènnp0ÑKÓ  ?Õ,&  0H•!€¨»`0ÑKÓ„ØnMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:33:15.568ŸR ;›íY^þŸC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 3È**èoz¢8ÑKÓ  ?Õ,&  0H±!€np0ÑKÓ„ØoMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:33:15.676ŸR ;›íY^þŸC:\tool-test\tools\tasksche\taskdl.exe¨è**xpQ¢8ÑKÓ  ?Õ,&  0HE!€z¢8ÑKÓ„TpMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3cß#O*ú6†öE6^OÊ^”ÿÿˆAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .^,   2017-10-23 07:33:28.244ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEúÇ127.0.0.1DESKTOP-DF4ULDEZ#sx**Øq³…S=ÑKÓ  ?Õ,&  0H¥!€Q¢8ÑKÓ„TqMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:33:28.244ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEúÇØ**èr%'è>ÑKÓ  ?Õ,&  0H¯!€³…S=ÑKÓ„ØrMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.J2017-10-23 07:33:37.287ŸR ›íYÞšpC:\Windows\SysWOW64\wbem\WmiPrvSE.exeF6C3è**såõq@ÑKÓ  ?Õ,&  0Hã!€%'è>ÑKÓ„ØsMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü ?Ó3tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .T..2017-10-23 07:33:39.942ŸR ­šíYj“˜C:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131532174691448268.txt.~tmp2017-10-23 07:33:39.3802017-10-23 07:33:39.848es**ðt9ÛXBÑKÓ  ?Õ,&  0H¹!€åõq@ÑKÓ„ØtMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:33:42.402ŸR V›íY] èC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" tasð**ÈuظuBÑKÓ  ?Õ,&  0H•!€9ÛXBÑKÓ„ØuMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:33:45.722ŸR Y›íY½a (C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" :È**èv`½uBÑKÓ  ?Õ,&  0H±!€Ø¸uBÑKÓ„ØvMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:33:45.895ŸR Y›íY½a (C:\tool-test\tools\tasksche\taskdl.exe>Zè**øwPš KÑKÓ  ?Õ,&  0HÃ!€`½uBÑKÓ„ØwMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:33:45.911ŸR V›íY] èC:\tool-test\tools\tasksche\@WanaDecryptor@.exeŸRø**àxÕ•PÑKÓ  ?Õ,&  0H«!€Pš KÑKÓ„ØxMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.F2017-10-23 07:34:01.285ŸR šíY½Ò‹DC:\Windows\System32\smartscreen.exealà**ðy®7žPÑKÓ  ?Õ,&  0H¹!€Õ•PÑKÓ„ØyMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.T2017-10-23 07:34:09.598ŸR ךíYøÒ•¼C:\Windows\System32\SearchProtocolHost.exe448ð**èzX„DRÑKÓ  ?Õ,&  0Hµ!€®7žPÑKÓ„ØzMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.P2017-10-23 07:34:09.645ŸR ØšíYO)–dC:\Windows\System32\SearchFilterHost.exeè**ð{ŠÁRÑKÓ  ?Õ,&  0H¹!€X„DRÑKÓ„Ø{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:34:12.430ŸR t›íYO— C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 0ð**ø|&Ù]TÑKÓ  ?Õ,&  0HÃ!€ŠÁRÑKÓ„Ø|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:34:13.239ŸR t›íYO— C:\tool-test\tools\tasksche\@WanaDecryptor@.exendø**È}P¥kTÑKÓ  ?Õ,&  0H•!€&Ù]TÑKÓ„Ø}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:34:15.944ŸR w›íYp½ ˜C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" hÈ**è~ønóWÑKÓ  ?Õ,&  0H±!€P¥kTÑKÓ„Ø~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:34:16.036ŸR w›íYp½ ˜C:\tool-test\tools\tasksche\taskdl.exe**è**˜icXÑKÓ  ?Õ,&  0Ha!€ønóWÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-10-23 07:34:21.968ŸR }›íYÓ ” C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"sof˜**€¢ÁÇ^ÑKÓ  ?Õ,&  0HÝ!€icXÑKÓ„Ø€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.x2017-10-23 07:34:22.692ŸR }›íYÓ ” C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exee**ÐdÂÇ^ÑKÓ  ?Õ,&  0H™!€¢ÁÇ^ÑKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:34:31.318ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEüÇ127.0.0.1DESKTOP-DF4ULDEZ#Ð**Ø‚s(dÑKÓ  ?Õ,&  0H¥!€dÂÇ^ÑKÓ„T‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:34:31.318ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEüÇ0Ø**ðƒêŽAgÑKÓ  ?Õ,&  0H¹!€s(dÑKӄ؃Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:34:42.448ŸR ’›íYÈë LC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" :42ð**È„þ‹gÑKÓ  ?Õ,&  0H•!€êŽAgÑKÓ„Ø„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:34:47.099ŸR —›íYnñ ôC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 2È**è…g—ägÑKÓ  ?Õ,&  0H±!€þ‹gÑKÓ„Ø…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:34:48.130ŸR —›íYnñ ôC:\tool-test\tools\tasksche\taskdl.exeHiè**ø†žY&vÑKÓ  ?Õ,&  0HÃ!€g—ägÑKӄ؆Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:34:48.707ŸR ’›íYÈë LC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**ð‡”ÏÝvÑKÓ  ?Õ,&  0H¹!€žY&vÑKӄ؇Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:35:12.488ŸR °›íYŸ¡ÐC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 9ð**øˆu]pyÑKÓ  ?Õ,&  0HÃ!€”ÏÝvÑKӄ؈Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:35:13.817ŸR °›íYŸ¡ÐC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**ȉ„‚yyÑKÓ  ?Õ,&  0H•!€u]pyÑKӄ؉Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:35:18.151ŸR ¶›íYØ¡ÀC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" iÈ**èŠw }ÑKÓ  ?Õ,&  0H±!€„‚yyÑKÓ„ØŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:35:18.208ŸR ¶›íYØ¡ÀC:\tool-test\tools\tasksche\taskdl.exe0-2è**ð‹U{ÃÑKÓ  ?Õ,&  0H¹!€w }ÑKÓ„Ø‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.T2017-10-23 07:35:24.098ŸR ­šíYj“˜C:\Windows\System32\backgroundTaskHost.exesksð**ÐŒà|ÃÑKÓ  ?Õ,&  0H™!€U{ÃÑKÓ„TŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:35:34.348ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEýÇ127.0.0.1DESKTOP-DF4ULDEZ#s\tÐ**ØpL…ÑKÓ  ?Õ,&  0H¥!€à|ÃÑKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:35:34.348ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEýÇoØ**ØŽ„7ˆÑKÓ  ?Õ,&  0HŸ!€pL…ÑKÓ„ØŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.:2017-10-23 07:35:38.036ŸR ›íYX’šØC:\Windows\System32\VSSVC.exeosofØ**ðD|ˆÑKÓ  ?Õ,&  0H¹!€„7ˆÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:35:42.706ŸR ΛíYF7¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" sksð**øä+™‹ÑKÓ  ?Õ,&  0HÃ!€D|ˆÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:35:42.739ŸR ΛíYF7¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exeWiø**È‘~•µ‹ÑKÓ  ?Õ,&  0H•!€ä+™‹ÑKÓ„Ø‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:35:48.474ŸR Ô›íY2017-10-23 07:36:11.614ŸR šíY“¶‹<C:\Windows\System32\dllhost.exeØ**ð”¶ÐšÑKÓ  ?Õ,&  0H¹!€ZZõ™ÑKÓ„Ø”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:36:12.710ŸR ì›íYßb¡ŒC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ð**ø•£JŸÑKÓ  ?Õ,&  0HÃ!€¶ÐšÑKÓ„Ø•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:36:12.942ŸR ì›íYßb¡ŒC:\tool-test\tools\tasksche\@WanaDecryptor@.exeonø**È–6š¥ÑKÓ  ?Õ,&  0H•!€£JŸÑKÓ„Ø–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:36:18.857ŸR ò›íY°x¡@C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" eÈ**è—äÆW©ÑKÓ  ?Õ,&  0H±!€6š¥ÑKÓ„Ø—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:36:18.896ŸR ò›íY°x¡@C:\tool-test\tools\tasksche\taskdl.exe=è**ИÇW©ÑKÓ  ?Õ,&  0H™!€äÆW©ÑKÓ„T˜Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:36:37.394ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#Ð**Ø™¾Ü«ÑKÓ  ?Õ,&  0H¥!€ÇW©ÑKÓ„T™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:36:37.395ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈØ**ðš@_ä«ÑKÓ  ?Õ,&  0H¹!€¾Ü«ÑKÓ„ØšMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:36:42.747ŸR œíYÕ—¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" Hð**ø›"ˆŠ¯ÑKÓ  ?Õ,&  0HÃ!€@_ä«ÑKÓ„Ø›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:36:42.786ŸR œíYÕ—¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe2Bø**Èœ…–¯ÑKÓ  ?Õ,&  0H•!€"ˆŠ¯ÑKÓ„ØœMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:36:48.919ŸR œíYú¥¡DC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" È**蟺ÑKÓ  ?Õ,&  0H±!€…–¯ÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:36:48.990ŸR œíYú¥¡DC:\tool-test\tools\tasksche\taskdl.execryè**Øž:œÀ½ÑKÓ  ?Õ,&  0H£!€ŸºÑKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.>2017-10-23 07:37:07.506ŸR ã™íYpØŠHC:\Windows\System32\audiodg.exe" Ø**ðŸû™È½ÑKÓ  ?Õ,&  0H¹!€:œÀ½ÑKÓ„ØŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:37:12.762ŸR (œíY¥Ô¡äC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ð**ø üMzÁÑKÓ  ?Õ,&  0HÃ!€û™È½ÑKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:37:12.802ŸR (œíY¥Ô¡äC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**È¡9î€ÁÑKÓ  ?Õ,&  0H•!€üMzÁÑKÓ„Ø¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:37:19.012ŸR /œíYÀ衈 C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" eÈ**è¢>ˆÏÑKÓ  ?Õ,&  0H±!€9î€ÁÑKÓ„Ø¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:37:19.052ŸR /œíYÀ衈 C:\tool-test\tools\tasksche\taskdl.exelesè**Уç—ÏÑKÓ  ?Õ,&  0H™!€>ˆÏÑKÓ„T£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:37:40.430ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#RÐ**ؤ›ÏÑKÓ  ?Õ,&  0H¥!€ç—ÏÑKÓ„T¤Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:37:40.431ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈSØ**Ð¥ÕœÏÑKÓ  ?Õ,&  0H™!€›ÏÑKÓ„T¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:37:40.431ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#ˆJ—Ð**ئH®©ÏÑKÓ  ?Õ,&  0H¥!€ÕœÏÑKÓ„T¦Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:37:40.431ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈEØ**𧆵®ÏÑKÓ  ?Õ,&  0H¹!€H®©ÏÑKӄاMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:37:42.804ŸR FœíY”¢À C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" letð**ø¨ïµgÓÑKÓ  ?Õ,&  0HÃ!€†µ®ÏÑKӄبMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:37:42.833ŸR FœíY”¢À C:\tool-test\tools\tasksche\@WanaDecryptor@.exeF5ø**È©ö¼pÓÑKÓ  ?Õ,&  0H•!€ïµgÓÑKÓ„Ø©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:37:49.085ŸR MœíYú&¢°C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" àÈ**èªlb’áÑKÓ  ?Õ,&  0H±!€ö¼pÓÑKӄتMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:37:49.146ŸR MœíYú&¢°C:\tool-test\tools\tasksche\taskdl.exeDEZè**ð«ìØšáÑKÓ  ?Õ,&  0H¹!€lb’áÑKÓ„Ø«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:38:12.857ŸR dœíYñ`¢C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" -Syð**ø¬µGUåÑKÓ  ?Õ,&  0HÃ!€ìØšáÑKӄجMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:38:12.911ŸR dœíYñ`¢C:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**È­$¥`åÑKÓ  ?Õ,&  0H•!€µGUåÑKÓ„Ø­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:38:19.164ŸR kœíYÅj¢C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" iÈ**è®É:£òÑKÓ  ?Õ,&  0H±!€$¥`åÑKÓ„Ø®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:38:19.240ŸR kœíYÅj¢C:\tool-test\tools\tasksche\taskdl.exe8B7è**Я];£òÑKÓ  ?Õ,&  0H™!€É:£òÑKÓ„T¯Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:38:40.426ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#\Ð**Ø°rÐuóÑKÓ  ?Õ,&  0H¥!€];£òÑKÓ„T°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:38:40.426ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈ:Ø**ð±é=~óÑKÓ  ?Õ,&  0H¹!€rÐuóÑKӄرMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:38:42.868ŸR ‚œíY·¢Ä C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 2\vð**ø²eL÷ÑKÓ  ?Õ,&  0HÃ!€é=~óÑKӄزMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:38:42.912ŸR ‚œíY·¢Ä C:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**ȳ2ÌR÷ÑKÓ  ?Õ,&  0H•!€eL÷ÑKӄسMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:38:49.263ŸR ‰œíYË¢¬C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" È**è´Ó,øÑKÓ  ?Õ,&  0H±!€2ÌR÷ÑKÓ„Ø´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:38:49.349ŸR ‰œíYË¢¬C:\tool-test\tools\tasksche\taskdl.exeE\Mè**µ5žtøÑKÓ  ?Õ,&  0HÍ!€Ó,øÑKӄصMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(4 Z>€2017-10-23 07:38:50.711ŸR ŠœíY æ¢x C:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x4e8C:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted0**ȶáàåýÑKÓ  ?Õ,&  0H•!€5žtøÑKӄضMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü ?.6’..2017-10-23 07:38:51.240ŸR ÀšíYåh”ŒC:\Windows\system32\mmc.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp2017-09-03 05:37:17.7462017-10-23 07:38:51.114eÈxe -secured   ?Õ,&  0Y\NE€áàåýÑKÓ„Ø·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙtasksche.exeKÓElfChnk·Â·Â€À/¨1õ±î,6o1óè8=Î÷²›f?øm©MFº&é«ã#**p ·«ZÖÒKÓ  ?Õ,& ?Õ,ßéÉQ ôñä l–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerDESKTOP-DF4ULDEAÿÿB .Security²fLUserID !  0H‹!€áàåýÑKÓ„Ø·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxéÀ5ñxaæâçz|°âÊ€ÿÿtD‚ EventDataAÿÿ78ΊoData=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ-8= CommandLine Aÿÿ78)=CurrentDirectory Aÿÿ8=User Aÿÿ)8= LogonGuid Aÿÿ%8=LogonId Aÿÿ98+=TerminalSessionId Aÿÿ38%=IntegrityLevel Aÿÿ#8=Hashes Aÿÿ98+=ParentProcessGuid Aÿÿ58'=ParentProcessId Aÿÿ-8= ParentImage Aÿÿ98+=ParentCommandLine .>¢(,Z>Z2017-10-23 07:39:00.378ŸR ”œíYfQ£ÔC:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DESKTOP-DF4ULDE\MNWPROŸR B–«Y É8É8HighSHA1=389E8332A59F2ECE14E7BCD0D9539681753AC967ŸR –«Y¨¡äC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch|úwp **¸¸!nÒKÓ  ?Õ,&  0H…!€«ZÖÒKӄظMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«¢å _Ö¡`Ÿ(À›AÊÿÿ¾Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image .>2017-10-23 07:39:10.340ŸR ”œíYfQ£ÔC:\Windows\System32\dllhost.exe¸**ð¹>ÝÉÒKÓ  ?Õ,&  0H¹!€!nÒKӄعMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:39:12.932ŸR  œíY>¥£ÀC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ð**øºÿg8 ÒKÓ  ?Õ,&  0HÃ!€>ÝÉÒKӄغMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«.^2017-10-23 07:39:13.604ŸR  œíY>¥£ÀC:\tool-test\tools\tasksche\@WanaDecryptor@.exe\tø**È»ÂãC ÒKÓ  ?Õ,&  0H•!€ÿg8 ÒKÓ„Ø»Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:39:19.372ŸR §œíY ³£ C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" :È**è¼µSÒKÓ  ?Õ,&  0H±!€ÂãC ÒKӄؼMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«.L2017-10-23 07:39:19.448ŸR §œíY ³£ C:\tool-test\tools\tasksche\taskdl.exeè**ð½GM[ÒKÓ  ?Õ,&  0H¹!€µSÒKӄؽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:39:43.043ŸR ¿œíY´6¤ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ð**ø¾H¨3ÒKÓ  ?Õ,&  0HÃ!€GM[ÒKӄؾMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«.^2017-10-23 07:39:43.088ŸR ¿œíY´6¤ C:\tool-test\tools\tasksche\@WanaDecryptor@.exeraø**x¿¥©3ÒKÓ  ?Õ,&  0HE!€H¨3ÒKÓ„T¿Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oã#cß#O*ú6†öE6^OÊ^”ÿÿˆAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .^,   2017-10-23 07:39:43.462ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#xx**ØÀ:›'ÒKÓ  ?Õ,&  0H¥!€¥©3ÒKÓ„TÀMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#Oã#.j,   2017-10-23 07:39:43.462ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈwØ**ÈÁ¡31ÒKÓ  ?Õ,&  0H•!€:›'ÒKÓ„ØÁMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:39:49.464ŸR ÅœíYWB¤4C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 7È**è  ?Õ,&  0H±!€¡31ÒKÓ„ØÂMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å«.L2017-10-23 07:39:49.525ŸR ÅœíYWB¤4C:\tool-test\tools\tasksche\taskdl.exesofèWindows-Sysmon/Operational ¢å“.L2017-10-23 07:33:15.676ŸR ;›íY^þŸC:\tool-test\tools\tasksche\taskdl.exe¨è**xpQ¢8ÑKÓ  ?Õ,&  0HE!€z¢8ÑKÓ„TpMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3cß#O*ú6†öE6^OÊ^”ÿÿˆAÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ8=User Aÿÿ'8=Protocol Aÿÿ)8= Initiated  Aÿÿ/8!= SourceIsIpv6  Aÿÿ'8=SourceIp Aÿÿ38%=SourceHostname Aÿÿ+8= SourcePort Aÿÿ38%=SourcePortName Aÿÿ98+=DestinationIsIpv6 Aÿÿ18#= DestinationIp Aÿÿ=8/=DestinationHostname Aÿÿ58'=DestinationPort Aÿÿ=8/=DestinationPortName .^,   2017-10-23 07:33:28.244ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEúÇ127.0.0.1DESKTOP-DF4ULDEZ#sx**Øq³…S=ÑKÓ  ?Õ,&  0H¥!€Q¢8ÑKÓ„TqMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:33:28.244ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEúÇØ**èr%'è>ÑKÓ  ?Õ,&  0H¯!€³…S=ÑKÓ„ØrMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.J2017-10-23 07:33:37.287ŸR ›íYÞšpC:\Windows\SysWOW64\wbem\WmiPrvSE.exeF6C3è**såõq@ÑKÓ  ?Õ,&  0Hã!€%'è>ÑKÓ„ØsMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü ?Ó3tlüâ:IŽ'1¶ÌÔˆŒÿÿ€Aÿÿ%8=UtcTime Aÿÿ-8= ProcessGuid Aÿÿ)8= ProcessId Aÿÿ!8=Image Aÿÿ38%=TargetFilename Aÿÿ58'=CreationUtcTime AÿÿE87=PreviousCreationUtcTime .T..2017-10-23 07:33:39.942ŸR ­šíYj“˜C:\Windows\system32\backgroundTaskHost.exeC:\Users\MNWPRO\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131532174691448268.txt.~tmp2017-10-23 07:33:39.3802017-10-23 07:33:39.848es**ðt9ÛXBÑKÓ  ?Õ,&  0H¹!€åõq@ÑKÓ„ØtMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:33:42.402ŸR V›íY] èC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" tasð**ÈuظuBÑKÓ  ?Õ,&  0H•!€9ÛXBÑKÓ„ØuMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:33:45.722ŸR Y›íY½a (C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" :È**èv`½uBÑKÓ  ?Õ,&  0H±!€Ø¸uBÑKÓ„ØvMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:33:45.895ŸR Y›íY½a (C:\tool-test\tools\tasksche\taskdl.exe>Zè**øwPš KÑKÓ  ?Õ,&  0HÃ!€`½uBÑKÓ„ØwMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:33:45.911ŸR V›íY] èC:\tool-test\tools\tasksche\@WanaDecryptor@.exeŸRø**àxÕ•PÑKÓ  ?Õ,&  0H«!€Pš KÑKÓ„ØxMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.F2017-10-23 07:34:01.285ŸR šíY½Ò‹DC:\Windows\System32\smartscreen.exealà**ðy®7žPÑKÓ  ?Õ,&  0H¹!€Õ•PÑKÓ„ØyMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.T2017-10-23 07:34:09.598ŸR ךíYøÒ•¼C:\Windows\System32\SearchProtocolHost.exe448ð**èzX„DRÑKÓ  ?Õ,&  0Hµ!€®7žPÑKÓ„ØzMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.P2017-10-23 07:34:09.645ŸR ØšíYO)–dC:\Windows\System32\SearchFilterHost.exeè**ð{ŠÁRÑKÓ  ?Õ,&  0H¹!€X„DRÑKÓ„Ø{Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:34:12.430ŸR t›íYO— C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 0ð**ø|&Ù]TÑKÓ  ?Õ,&  0HÃ!€ŠÁRÑKÓ„Ø|Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:34:13.239ŸR t›íYO— C:\tool-test\tools\tasksche\@WanaDecryptor@.exendø**È}P¥kTÑKÓ  ?Õ,&  0H•!€&Ù]TÑKÓ„Ø}Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:34:15.944ŸR w›íYp½ ˜C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" hÈ**è~ønóWÑKÓ  ?Õ,&  0H±!€P¥kTÑKÓ„Ø~Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:34:16.036ŸR w›íYp½ ˜C:\tool-test\tools\tasksche\taskdl.exe**è**˜icXÑKÓ  ?Õ,&  0Ha!€ønóWÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.x¨(& Zbf2017-10-23 07:34:21.968ŸR }›íYÓ ” C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe"C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe" 0 1 , 0 0 1920 1080 0C:\Windows\system32\NT AUTHORITY\SYSTEMŸR –«Y ççSystemSHA1=857F42841000FE99606D27C5688836B31882D272ŸR –«Y|“C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"sof˜**€¢ÁÇ^ÑKÓ  ?Õ,&  0HÝ!€icXÑKÓ„Ø€Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.x2017-10-23 07:34:22.692ŸR }›íYÓ ” C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exee**ÐdÂÇ^ÑKÓ  ?Õ,&  0H™!€¢ÁÇ^ÑKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:34:31.318ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEüÇ127.0.0.1DESKTOP-DF4ULDEZ#Ð**Ø‚s(dÑKÓ  ?Õ,&  0H¥!€dÂÇ^ÑKÓ„T‚Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:34:31.318ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEüÇ0Ø**ðƒêŽAgÑKÓ  ?Õ,&  0H¹!€s(dÑKӄ؃Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:34:42.448ŸR ’›íYÈë LC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" :42ð**È„þ‹gÑKÓ  ?Õ,&  0H•!€êŽAgÑKÓ„Ø„Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:34:47.099ŸR —›íYnñ ôC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 2È**è…g—ägÑKÓ  ?Õ,&  0H±!€þ‹gÑKÓ„Ø…Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:34:48.130ŸR —›íYnñ ôC:\tool-test\tools\tasksche\taskdl.exeHiè**ø†žY&vÑKÓ  ?Õ,&  0HÃ!€g—ägÑKӄ؆Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:34:48.707ŸR ’›íYÈë LC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**ð‡”ÏÝvÑKÓ  ?Õ,&  0H¹!€žY&vÑKӄ؇Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:35:12.488ŸR °›íYŸ¡ÐC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 9ð**øˆu]pyÑKÓ  ?Õ,&  0HÃ!€”ÏÝvÑKӄ؈Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:35:13.817ŸR °›íYŸ¡ÐC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**ȉ„‚yyÑKÓ  ?Õ,&  0H•!€u]pyÑKӄ؉Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:35:18.151ŸR ¶›íYØ¡ÀC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" iÈ**èŠw }ÑKÓ  ?Õ,&  0H±!€„‚yyÑKÓ„ØŠMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:35:18.208ŸR ¶›íYØ¡ÀC:\tool-test\tools\tasksche\taskdl.exe0-2è**ð‹U{ÃÑKÓ  ?Õ,&  0H¹!€w }ÑKÓ„Ø‹Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.T2017-10-23 07:35:24.098ŸR ­šíYj“˜C:\Windows\System32\backgroundTaskHost.exesksð**ÐŒà|ÃÑKÓ  ?Õ,&  0H™!€U{ÃÑKÓ„TŒMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:35:34.348ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEýÇ127.0.0.1DESKTOP-DF4ULDEZ#s\tÐ**ØpL…ÑKÓ  ?Õ,&  0H¥!€à|ÃÑKÓ„TMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:35:34.348ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEýÇoØ**ØŽ„7ˆÑKÓ  ?Õ,&  0HŸ!€pL…ÑKÓ„ØŽMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.:2017-10-23 07:35:38.036ŸR ›íYX’šØC:\Windows\System32\VSSVC.exeosofØ**ðD|ˆÑKÓ  ?Õ,&  0H¹!€„7ˆÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:35:42.706ŸR ΛíYF7¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" sksð**øä+™‹ÑKÓ  ?Õ,&  0HÃ!€D|ˆÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:35:42.739ŸR ΛíYF7¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exeWiø**È‘~•µ‹ÑKÓ  ?Õ,&  0H•!€ä+™‹ÑKÓ„Ø‘Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:35:48.474ŸR Ô›íY2017-10-23 07:36:11.614ŸR šíY“¶‹<C:\Windows\System32\dllhost.exeØ**ð”¶ÐšÑKÓ  ?Õ,&  0H¹!€ZZõ™ÑKÓ„Ø”Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:36:12.710ŸR ì›íYßb¡ŒC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ð**ø•£JŸÑKÓ  ?Õ,&  0HÃ!€¶ÐšÑKÓ„Ø•Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:36:12.942ŸR ì›íYßb¡ŒC:\tool-test\tools\tasksche\@WanaDecryptor@.exeonø**È–6š¥ÑKÓ  ?Õ,&  0H•!€£JŸÑKÓ„Ø–Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:36:18.857ŸR ò›íY°x¡@C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" eÈ**è—äÆW©ÑKÓ  ?Õ,&  0H±!€6š¥ÑKÓ„Ø—Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:36:18.896ŸR ò›íY°x¡@C:\tool-test\tools\tasksche\taskdl.exe=è**ИÇW©ÑKÓ  ?Õ,&  0H™!€äÆW©ÑKÓ„T˜Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:36:37.394ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#Ð**Ø™¾Ü«ÑKÓ  ?Õ,&  0H¥!€ÇW©ÑKÓ„T™Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:36:37.395ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈØ**ðš@_ä«ÑKÓ  ?Õ,&  0H¹!€¾Ü«ÑKÓ„ØšMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:36:42.747ŸR œíYÕ—¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" Hð**ø›"ˆŠ¯ÑKÓ  ?Õ,&  0HÃ!€@_ä«ÑKÓ„Ø›Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:36:42.786ŸR œíYÕ—¡ C:\tool-test\tools\tasksche\@WanaDecryptor@.exe2Bø**Èœ…–¯ÑKÓ  ?Õ,&  0H•!€"ˆŠ¯ÑKÓ„ØœMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:36:48.919ŸR œíYú¥¡DC:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" È**蟺ÑKÓ  ?Õ,&  0H±!€…–¯ÑKÓ„ØMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:36:48.990ŸR œíYú¥¡DC:\tool-test\tools\tasksche\taskdl.execryè**Øž:œÀ½ÑKÓ  ?Õ,&  0H£!€ŸºÑKÓ„ØžMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.>2017-10-23 07:37:07.506ŸR ã™íYpØŠHC:\Windows\System32\audiodg.exe" Ø**ðŸû™È½ÑKÓ  ?Õ,&  0H¹!€:œÀ½ÑKÓ„ØŸMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:37:12.762ŸR (œíY¥Ô¡äC:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" ð**ø üMzÁÑKÓ  ?Õ,&  0HÃ!€û™È½ÑKÓ„Ø Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:37:12.802ŸR (œíY¥Ô¡äC:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**È¡9î€ÁÑKÓ  ?Õ,&  0H•!€üMzÁÑKÓ„Ø¡Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:37:19.012ŸR /œíYÀ衈 C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" eÈ**è¢>ˆÏÑKÓ  ?Õ,&  0H±!€9î€ÁÑKÓ„Ø¢Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:37:19.052ŸR /œíYÀ衈 C:\tool-test\tools\tasksche\taskdl.exelesè**Уç—ÏÑKÓ  ?Õ,&  0H™!€>ˆÏÑKÓ„T£Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:37:40.430ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#RÐ**ؤ›ÏÑKÓ  ?Õ,&  0H¥!€ç—ÏÑKÓ„T¤Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:37:40.431ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈSØ**Ð¥ÕœÏÑKÓ  ?Õ,&  0H™!€›ÏÑKÓ„T¥Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:37:40.431ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#ˆJ—Ð**ئH®©ÏÑKÓ  ?Õ,&  0H¥!€ÕœÏÑKÓ„T¦Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:37:40.431ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈEØ**𧆵®ÏÑKÓ  ?Õ,&  0H¹!€H®©ÏÑKӄاMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:37:42.804ŸR FœíY”¢À C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" letð**ø¨ïµgÓÑKÓ  ?Õ,&  0HÃ!€†µ®ÏÑKӄبMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:37:42.833ŸR FœíY”¢À C:\tool-test\tools\tasksche\@WanaDecryptor@.exeF5ø**È©ö¼pÓÑKÓ  ?Õ,&  0H•!€ïµgÓÑKÓ„Ø©Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:37:49.085ŸR MœíYú&¢°C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" àÈ**èªlb’áÑKÓ  ?Õ,&  0H±!€ö¼pÓÑKӄتMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:37:49.146ŸR MœíYú&¢°C:\tool-test\tools\tasksche\taskdl.exeDEZè**ð«ìØšáÑKÓ  ?Õ,&  0H¹!€lb’áÑKÓ„Ø«Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:38:12.857ŸR dœíYñ`¢C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" -Syð**ø¬µGUåÑKÓ  ?Õ,&  0HÃ!€ìØšáÑKӄجMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:38:12.911ŸR dœíYñ`¢C:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**È­$¥`åÑKÓ  ?Õ,&  0H•!€µGUåÑKÓ„Ø­Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:38:19.164ŸR kœíYÅj¢C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" iÈ**è®É:£òÑKÓ  ?Õ,&  0H±!€$¥`åÑKÓ„Ø®Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:38:19.240ŸR kœíYÅj¢C:\tool-test\tools\tasksche\taskdl.exe8B7è**Я];£òÑKÓ  ?Õ,&  0H™!€É:£òÑKÓ„T¯Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.^,   2017-10-23 07:38:40.426ŸR ךíYÕÙ•C:\tool-test\tools\tasksche\@WanaDecryptor@.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEÈ127.0.0.1DESKTOP-DF4ULDEZ#\Ð**Ø°rÐuóÑKÓ  ?Õ,&  0H¥!€];£òÑKÓ„T°Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational cß#OÓ3.j,   2017-10-23 07:38:40.426ŸR éšíYìì–lC:\tool-test\tools\tasksche\TaskData\Tor\taskhsvc.exeDESKTOP-DF4ULDE\MNWPROtcp127.0.0.1DESKTOP-DF4ULDEZ#127.0.0.1DESKTOP-DF4ULDEÈ:Ø**ð±é=~óÑKÓ  ?Õ,&  0H¹!€rÐuóÑKӄرMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.^&8, ZPV2017-10-23 07:38:42.868ŸR ‚œíY·¢Ä C:\tool-test\tools\tasksche\@WanaDecryptor@.exe@WanaDecryptor@.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=45356A9DD616ED7161A3B9192E2F318D0AB5AD10ŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" 2\vð**ø²eL÷ÑKÓ  ?Õ,&  0HÃ!€é=~óÑKӄزMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.^2017-10-23 07:38:42.912ŸR ‚œíY·¢Ä C:\tool-test\tools\tasksche\@WanaDecryptor@.exeø**ȳ2ÌR÷ÑKÓ  ?Õ,&  0H•!€eL÷ÑKӄسMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.L8, ZPV2017-10-23 07:38:49.263ŸR ‰œíYË¢¬C:\tool-test\tools\tasksche\taskdl.exetaskdl.exeC:\tool-test\tools\tasksche\DESKTOP-DF4ULDE\MNWPROŸR C–«Y ÍRÍRMediumSHA1=47A9AD4125B6BD7C55E4E7DA251E23F089407B8FŸR xšíYZ×C:\tool-test\tools\tasksche\tasksche.exe"C:\tool-test\tools\tasksche\tasksche.exe" È**è´Ó,øÑKÓ  ?Õ,&  0H±!€2ÌR÷ÑKÓ„Ø´Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational ¢å“.L2017-10-23 07:38:49.349ŸR ‰œíYË¢¬C:\tool-test\tools\tasksche\taskdl.exeE\Mè**µ5žtøÑKÓ  ?Õ,&  0HÍ!€Ó,øÑKӄصMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational À5ñxé.>J(4 Z>€2017-10-23 07:38:50.711ŸR ŠœíY æ¢x C:\Windows\System32\audiodg.exeC:\Windows\system32\AUDIODG.EXE 0x4e8C:\Windows\system32\NT AUTHORITY\LOCAL SERVICEŸR –«Y ååSystemSHA1=3F4F3B6D6120FB33B4AEEA3723E5D7693F8EC013ŸR –«YêSxC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted0**ȶáàåýÑKÓ  ?Õ,&  0H•!€5žtøÑKӄضMicrosoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙMicrosoft-Windows-Sysmon/Operational tlü ?.6’..2017-10-23 07:38:51.240ŸR ÀšíYåh”ŒC:\Windows\system32\mmc.exeC:\Users\MNWPRO\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp2017-09-03 05:37:17.7462017-10-23 07:38:51.114eÈxe -secured   ?Õ,&  0Y\NE€áàåýÑKÓ„Ø·Microsoft-Windows-Sysmon_8pW*ÂàC¿LõiûÙtasksche.exeKÓpython-evtx-0.7.4/tests/data/readme.md000066400000000000000000000011561402613732500176670ustar00rootroot00000000000000The source for system.evtx with md5 182de19fe6a25b928a34ad59af0bbf1e was https://github.com/log2timeline/plaso/tree/1e2fa282efa2f839e1f179a3e98dbf922b5dbbc7/test_data The source for security.evtx with md5 8fa20a376cb6745453bc51f906e0fcd0 was Carlos Dias, via email, on May 4, 2017. The source for ae831beda7dfda43f4de0e18a1035f64/dns_log_malformed.evtx was @stephensheridan, via Github issue #37 (https://github.com/williballenthin/python-evtx/issues/37). The source for d75c90e629f38c7b9e612905e02e2255 issue_38.evtx was @nbareil, via Github issue #38 (https://github.com/williballenthin/python-evtx/issues/38). python-evtx-0.7.4/tests/data/security.evtx000066400000000000000000102100001402613732500206560ustar00rootroot00000000000000ElfFile²€Õ3n?ElfChnk[[€ ý`ÿ¥®wýdW:ìóèf =@q΋÷®›fq?ø=p©MFºî~s.s‘Ó•³¥èc§èp&žmãžÅ-Z**–WWDÙÑ mÊrÇ&mÊrÇ͸ŠgñEi;] “Œ’A†Mº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÖøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿ>F‘;nComputer 37L4247F27-25AÿÿB‹ .Security®fLUserID ! FU!0 €–WWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅÝ&ÎîË|Ö Žp)·cî.ÿÿ"ìD‚ EventData**¸–WWDÙÑ mÊrÇ& F!1 €–WWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3 ï:ÚÁ¹öǬr›fË8(ÿÿ„ìAÿÿEf ΊoData%=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= TargetUserSid Aÿÿ3f %=TargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ1f #= TargetLogonId Aÿÿ)f = LogonType Aÿÿ7f )=LogonProcessName AÿÿIf ;=AuthenticationPackageName Aÿÿ5f '=WorkstationName Aÿÿ)f = LogonGuid Aÿÿ=f /=TransmittedServices Aÿÿ1f #= LmPackageName Aÿÿ)f = KeyLength Aÿÿ)f = ProcessId Aÿÿ-f = ProcessName Aÿÿ)f = IpAddress Aÿÿ#f =IpPort   --SYSTEMNT AUTHORITYç-------¸**Èù|cWDÙÑ mÊrÇ& F¯!5& €ù|cWDÙÑ°XP–0ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇëºìÇ'1°—`A—–—ù tÿÿhìAÿÿ'f =PuaCount Aÿÿ-f = PuaPolicyId °\È**hYÞeWDÙÑ mÊrÇ& FO!6{ €YÞeWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³;2 @Œ0'¿ºW£cZ–!NÿÿBìAÿÿ3f %=TargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ)f = TargetSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList Aÿÿ3f %=SamAccountName Aÿÿ+f = SidHistory  " "Backup OperatorsBuiltin '37L4247F27-25$WORKGROUPç-Backup Operators-h**èYÞeWDÙÑ mÊrÇ& FË!6 €YÞeWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ " Backup OperatorsBuiltin '37L4247F27-25$WORKGROUPç---è**èYÞeWDÙÑ mÊrÇ& FÑ!6{ €YÞeWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³  ReplicatorBuiltin (37L4247F27-25$WORKGROUPç-Replicator-è**ØYÞeWDÙÑ mÊrÇ& F¿!6 €YÞeWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³  ReplicatorBuiltin (37L4247F27-25$WORKGROUPç---Ø**YÞeWDÙÑ mÊrÇ& Fù!6{ €YÞeWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ * *Remote Desktop UsersBuiltin +37L4247F27-25$WORKGROUPç-Remote Desktop Users-**ð YÞeWDÙÑ mÊrÇ& FÓ!6 €YÞeWDÙÑ°XP–0ÈÌ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ * Remote Desktop UsersBuiltin +37L4247F27-25$WORKGROUPç---ð**@ YÞeWDÙÑ mÊrÇ& F%!6{ €YÞeWDÙÑ°XP–0ÈÌ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ @ @Network Configuration OperatorsBuiltin ,37L4247F27-25$WORKGROUPç-Network Configuration Operators-@** YÞeWDÙÑ mÊrÇ& Fé!6 €YÞeWDÙÑ°XP–0ÈÌ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ @ Network Configuration OperatorsBuiltin ,37L4247F27-25$WORKGROUPç---**ð YÞeWDÙÑ mÊrÇ& FÕ!6{ €YÞeWDÙÑ°XP–0ÈÌ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³  Power UsersBuiltin #37L4247F27-25$WORKGROUPç-Power Users-ð**Ø YÞeWDÙÑ mÊrÇ& FÁ!6 €YÞeWDÙÑ°XP–0ÈÌ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³  Power UsersBuiltin #37L4247F27-25$WORKGROUPç---Ø** ¹?hWDÙÑ mÊrÇ& F!6{ €¹?hWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ 0 0Cryptographic OperatorsBuiltin 937L4247F27-25$WORKGROUPç-Cryptographic Operators- **ð¹?hWDÙÑ mÊrÇ& FÙ!6 €¹?hWDÙÑ°XP–0ÈÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³ 0 Cryptographic OperatorsBuiltin 937L4247F27-25$WORKGROUPç---ð**˜¹?hWDÙÑ mÊrÇ& F{!1 €¹?hWDÙÑ°XP–0ÈüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜**ð¹?hWDÙÑ mÊrÇ& F×!1@ €¹?hWDÙÑ°XP–0ÈüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.3 ®x«C‚Å“Â-ž:ÿÿ.ìAÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeð**¨;ÅqWDÙÑ mÊrÇ& F!1 €;ÅqWDÙÑ°XP–0ÈüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3    B37L4247F27-25$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate-- C:\Windows\System32\services.exe--¨**(;ÅqWDÙÑ mÊrÇ& F !1@ €;ÅqWDÙÑ°XP–0ÈüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(** Ÿ½°XDÙÑ mÊrÇ& F‰!1 €Ÿ½°XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate-- C:\Windows\System32\services.exe-- ** Ÿ½°XDÙÑ mÊrÇ& F !1@ €Ÿ½°XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜Àá·XDÙÑ mÊrÇ& F{!1 €Àá·XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜** Àá·XDÙÑ mÊrÇ& F…!1@ €Àá·XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜Àá·XDÙÑ mÊrÇ& F{!1 €Àá·XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜** Àá·XDÙÑ mÊrÇ& F…!1@ €Àá·XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜¤¼XDÙÑ mÊrÇ& F{!1 €¤¼XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜** ¤¼XDÙÑ mÊrÇ& F…!1@ €¤¼XDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜Lž YDÙÑ mÊrÇ& F{!1 €Lž YDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜** Lž YDÙÑ mÊrÇ& F…!1@ €Lž YDÙÑ°XP–0ÈHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **(N©3YDÙÑ mÊrÇ& F!0© €N©3YDÙÑ°XP–08Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅ(**(Ò9PYDÙÑ mÊrÇ& F!0  €Ò9PYDÙÑ°XP–0ÈDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅ(** —{YDÙÑ mÊrÇ& F!1 €—{YDÙÑÈü Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   --ANONYMOUS LOGONNT AUTHORITY;SNtLmSsp NTLM-NTLM V1---**h!¬%CšDÙÑ mÊrÇ& F_!6‚ €¬%CšDÙÑÈP!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆa-ZxÆaus³>¡±#rúBŠCþÿÿòìAÿÿ!f =Dummy Aÿÿ3f %=TargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ)f = TargetSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList Aÿÿ3f %=SamAccountName Aÿÿ-f = DisplayName Aÿÿ9f +=UserPrincipalName Aÿÿ1f #= HomeDirectory Aÿÿ'f =HomePath Aÿÿ+f = ScriptPath Aÿÿ-f = ProfilePath Aÿÿ7f )=UserWorkstations Aÿÿ5f '=PasswordLastSet Aÿÿ3f %=AccountExpires Aÿÿ3f %=PrimaryGroupId Aÿÿ=f /=AllowedToDelegateTo Aÿÿ-f = OldUacValue Aÿÿ-f = NewUacValue Aÿÿ;f -=UserAccountControl Aÿÿ3f %=UserParameters Aÿÿ+f = SidHistory Aÿÿ+f = LogonHours    -Administrator37L4247F27-25ÚÔ.›hVdí:ô37L4247F27-25$WORKGROUPç-------------0x2110x211----h**p"|;T¡DÙÑ mÊrÇ& Fg!1 €|;T¡DÙÑÈH"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3    @37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--p**ˆ#|;T¡DÙÑ mÊrÇ& Fƒ!1@ €|;T¡DÙÑÈH#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p$àq¢DÙÑ mÊrÇ& Fg!1 €àq¢DÙÑÈH$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3    @37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--p**ˆ%àq¢DÙÑ mÊrÇ& Fƒ!1@ €àq¢DÙÑÈH%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**à&? ™£DÙÑ OÀS´žmOÀS´'³‰£TxszÊdý©AÿÿMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿîøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ$F 37L4247F27-25Aÿÿ‹ ® $=pm5DUserData! u!gL @? ™£DÙÑ<¬& T3[èpT3[ÓˆY}É*ë•ÄlJAÿÿ>q«'ServiceShutdown F@qNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜'–@O£DÙÑ mÊrÇ& F{!1 €–@O£DÙÑ\RegÈH'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜** (–@O£DÙÑ mÊrÇ& F…!1@ €–@O£DÙÑ\RegÈH(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜)WT£DÙÑ mÊrÇ& F{!1 €WT£DÙÑ\RegÈH)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   B37L4247F27-25$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate-- C:\Windows\System32\services.exe--˜** *WT£DÙÑ mÊrÇ& F…!1@ €WT£DÙÑ\RegÈH*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **8+2p¯DÙÑ  «Öî~ «Ödð¡E¢]W‹¶öAêMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿbøAÿÿF=XAz › Î  ÷  ? fAÿÿ‘ º è AÿÿFFm Aÿÿ©FÎó  ÿÿ(FWIN-03DLIIOFRRAAÿÿ‹ ® ! F!0 €2p¯DÙÑ€xØÜ+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅ8**,2p¯DÙÑ  «Öî~ Fõ!1 €2p¯DÙÑ€xØÜ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   --SYSTEMNT AUTHORITYç-------**@-£Û€¯DÙÑ  «Öî~ F#!5& €£Û€¯DÙÑ€xØ(-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇëVÏ@**˜.=ƒ¯DÙÑ  «Öî~ F!1 €=ƒ¯DÙÑ€xØ.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--¤C:\Windows\System32\services.exe--˜** /=ƒ¯DÙÑ  «Öî~ F…!1@ €=ƒ¯DÙÑ€xØ/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨0„ÂŒ¯DÙÑ  «Öî~ F‘!1 €„ÂŒ¯DÙÑ€xØL0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--¤C:\Windows\System32\services.exe--¨**(1„ÂŒ¯DÙÑ  «Öî~ F !1@ €„ÂŒ¯DÙÑ€xØL1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**`2f«Å±DÙÑ  «Öî~ FG!6x €f«Å±DÙÑ€xØL2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀs‘ë8+LÀ ˜$BŽâ)½€òKDÿÿ8ìAÿÿ+f = MemberName Aÿÿ)f = MemberSid Aÿÿ3f %=TargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ)f = TargetSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList     "-ÚÔ.›hVdí:èNoneWIN-03DLIIOFRRAÚÔ.›hVdí:WIN-03DLIIOFRRA$WORKGROUPç-`** 3f«Å±DÙÑ  «Öî~ Fó!6p €f«Å±DÙÑ€xØL3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security vÜÓ•vÜ ZNî`øl7жÖÿÿÊìAÿÿ3f %=TargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ)f = TargetSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList Aÿÿ3f %=SamAccountName Aÿÿ-f = DisplayName Aÿÿ9f +=UserPrincipalName Aÿÿ1f #= HomeDirectory Aÿÿ'f =HomePath Aÿÿ+f = ScriptPath Aÿÿ-f = ProfilePath Aÿÿ7f )=UserWorkstations Aÿÿ5f '=PasswordLastSet Aÿÿ3f %=AccountExpires Aÿÿ3f %=PrimaryGroupId Aÿÿ=f /=AllowedToDelegateTo Aÿÿ-f = OldUacValue Aÿÿ-f = NewUacValue Aÿÿ;f -=UserAccountControl Aÿÿ3f %=UserParameters Aÿÿ+f = SidHistory Aÿÿ+f = LogonHours    "  >fsirWIN-03DLIIOFRRAÚÔ.›hVdí:èWIN-03DLIIOFRRA$WORKGROUPç-fsir%%1793-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x00x15 %%2080 %%2082 %%2084%%1793-%%1797 **˜4f«Å±DÙÑ  «Öî~ F}!6r €f«Å±DÙÑ€xØL4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security p!ˆãžp!ˆ ¯­}9Žw´§ªÿÿžìAÿÿ3f %=TargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ)f = TargetSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId    "fsirWIN-03DLIIOFRRAÚÔ.›hVdí:èWIN-03DLIIOFRRA$WORKGROUPç˜**5f«Å±DÙÑ  «Öî~ Fç!6‚ €f«Å±DÙÑ€xØL5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆa-Z   "   -fsirWIN-03DLIIOFRRAÚÔ.›hVdí:èWIN-03DLIIOFRRA$WORKGROUPç-fsir%%1793-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x150x14 %%2048%%1793-%%1797**è6Æ È±DÙÑ  «Öî~ FÑ!6| €Æ ȱDÙÑ€xØL6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀs‘   "-ÚÔ.›hVdí:èUsersBuiltin !WIN-03DLIIOFRRA$WORKGROUPç-è**€7Æ È±DÙÑ  «Öî~ Fi!5ƒ €Æ ȱDÙÑ€xØL7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ­Ó£c§­Ó£¤ðõ „11<ª—ÿÿìAÿÿ=f /=DomainPolicyChanged Aÿÿ+f = DomainName Aÿÿ)f = DomainSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList Aÿÿ3f %=MinPasswordAge Aÿÿ3f %=MaxPasswordAge Aÿÿ-f = ForceLogoff Aÿÿ7f )=LockoutThreshold AÿÿGf 9=LockoutObservationWindow Aÿÿ5f '=LockoutDuration Aÿÿ;f -=PasswordProperties Aÿÿ9f +=MinPasswordLength AÿÿAf 3=PasswordHistoryLength Aÿÿ=f /=MachineAccountQuota Aÿÿ5f '=MixedDomainMode AÿÿAf 3=DomainBehaviorVersion Aÿÿ3f %=OemInformation    "Password PolicyWIN-03DLIIOFRRAÚÔ.›hVdí:WIN-03DLIIOFRRA$WORKGROUPç-----000€**8'nʱDÙÑ  «Öî~ Fç!6‚ €'nʱDÙÑ€xØ8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆa-Z   " *  -fsirWIN-03DLIIOFRRAÚÔ.›hVdí:èWIN-03DLIIOFRRA$WORKGROUPç-fsir%%1793-%%1793%%1793%%1793%%1793%%17937/8/2016 11:15:23 AM%%1794513-0x140x14---%%1797**Ø9'nʱDÙÑ  «Öî~ F»!6t €'nʱDÙÑ€xØ9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security p!ˆãž   "fsirWIN-03DLIIOFRRAÚÔ.›hVdí:èWIN-03DLIIOFRRA$WORKGROUPçØ**:'nʱDÙÑ  «Öî~ Fã!6| €'nʱDÙÑ€xØ:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀs‘  "-ÚÔ.›hVdí:èAdministratorsBuiltin WIN-03DLIIOFRRA$WORKGROUPç-**(;a­“»DÙÑ  «Öî~ F!0 €a­“»DÙÑ€xÜà;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅ(**<a­“»DÙÑ  «Öî~ Fõ!1 €a­“»DÙÑ€xÜà<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   --SYSTEMNT AUTHORITYç-------**@=â2»DÙÑ  «Öî~ F#!5& €â2»DÙÑ€xÜ=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇën¿@**˜>¢õ¡»DÙÑ  «Öî~ F!1 €¢õ¡»DÙÑ€xÜH>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--˜** ?¢õ¡»DÙÑ  «Öî~ F…!1@ €¢õ¡»DÙÑ€xÜH?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨@„Ü­»DÙÑ  «Öî~ F‘!1 €„Ü­»DÙÑ€xÜH@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ÈC:\Windows\System32\services.exe--¨**(A„Ü­»DÙÑ  «Öî~ F !1@ €„Ü­»DÙÑ€xÜHAMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**˜Bíê½DÙÑ  «Öî~ F!1 €íê½DÙÑ€xÜBMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--˜** Cíê½DÙÑ  «Öî~ F…!1@ €íê½DÙÑ€xÜCMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜DML½DÙÑ  «Öî~ F!1 €ML½DÙÑ€xÜDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--˜** EML½DÙÑ  «Öî~ F…!1@ €ML½DÙÑ€xÜEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨F½DÙÑ  «Öî~ F!1 €½DÙÑ€xÜFMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ÈC:\Windows\System32\services.exe--¨** G½DÙÑ  «Öî~ F !1@ €½DÙÑ€xÜGMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜HVùw¾DÙÑ  «Öî~ F!1 €Vùw¾DÙÑ€xÜHHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--˜** IVùw¾DÙÑ  «Öî~ F…!1@ €Vùw¾DÙÑ€xÜHIMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s. &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **pJÁ‘Ù¾DÙÑ  «Öî~ Fk!1 €Á‘Ù¾DÙÑÜJMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--p**ˆKÁ‘Ù¾DÙÑ  «Öî~ Fƒ!1@ €Á‘Ù¾DÙÑÜKMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«s.  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**Lc;ê¾DÙÑ  «Öî~ F!0© €c;ê¾DÙÑ<LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅ**Mŧÿ¾DÙÑ  «Öî~ F!0  €Å§ÿ¾DÙÑÜMMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÅ**N*(¿DÙÑ  «Öî~ F!1 €*(¿DÙÑÜdNMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ3   --ANONYMOUS LOGONNT AUTHORITYWÌNtLmSsp NTLM-NTLM V1---**ÈO¿ ÂDÙÑ  «Öî~ FÁ!6 €¿ ÂDÙÑÜOMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³   AdministratorsBuiltin WIN-03DLIIOFRRA$WORKGROUPç---È** P¿ ÂDÙÑ  «Öî~ F!6­ €¿ ÂDÙÑÜPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq¥èx8èq0Ï}‡ñº:(ÿÿìAÿÿ9f +=OldTargetUserName Aÿÿ9f +=NewTargetUserName Aÿÿ7f )=TargetDomainName Aÿÿ)f = TargetSid Aÿÿ3f %=SubjectUserSid Aÿÿ5f '=SubjectUserName Aÿÿ9f +=SubjectDomainName Aÿÿ3f %=SubjectLogonId Aÿÿ1f #= PrivilegeList    AdministratorsAdministratorsBuiltin WIN-03DLIIOFRRA$WORKGROUPç- **àQ¿ ÂDÙÑ  «Öî~ FÛ!6 €¿ ÂDÙÑÜQMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³   AdministratorsBuiltin WIN-03DLIIOFRRA$WORKGROUPç-Administrators-à**¸R¿ ÂDÙÑ  «Öî~ F¯!6 €¿ ÂDÙÑÜRMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³   UsersBuiltin !WIN-03DLIIOFRRA$WORKGROUPç---¸**¸S¿ ÂDÙÑ  «Öî~ F±!6­ €¿ ÂDÙÑÜSMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq¥è    UsersUsersBuiltin !WIN-03DLIIOFRRA$WORKGROUPç-¸**ÀT¿ ÂDÙÑ  «Öî~ F·!6 €¿ ÂDÙÑÜTMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³    UsersBuiltin !WIN-03DLIIOFRRA$WORKGROUPç-Users-À**¸U¿ ÂDÙÑ  «Öî~ F±!6 €¿ ÂDÙÑÜUMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³   GuestsBuiltin "WIN-03DLIIOFRRA$WORKGROUPç---¸**ÀV¿ ÂDÙÑ  «Öî~ Fµ!6­ €¿ ÂDÙÑÜVMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq¥è    GuestsGuestsBuiltin "WIN-03DLIIOFRRA$WORKGROUPç-À**ÀW¿ ÂDÙÑ  «Öî~ F»!6 €¿ ÂDÙÑÜWMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³    GuestsBuiltin "WIN-03DLIIOFRRA$WORKGROUPç-Guests-À**ÐX¿ ÂDÙÑ  «Öî~ FÅ!6 €¿ ÂDÙÑÜXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³   Backup OperatorsBuiltin 'WIN-03DLIIOFRRA$WORKGROUPç---Ð**èY¿ ÂDÙÑ  «Öî~ FÝ!6­ €¿ ÂDÙÑÜYMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq¥è    Backup OperatorsBackup OperatorsBuiltin 'WIN-03DLIIOFRRA$WORKGROUPç-è**èZ¿ ÂDÙÑ  «Öî~ Fã!6 €¿ ÂDÙÑÜZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³    Backup OperatorsBuiltin 'WIN-03DLIIOFRRA$WORKGROUPç-Backup Operators-è**À[¿ ÂDÙÑ  «Öî~ F¹!6 €¿ ÂDÙÑÜ[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 ³   ReplicatorBuiltin (WIN-03DLIIOFRRA$WORKGROUPç---À  «Öî~ 6­ €¿ ÂDÙÑÜ\ElfChnk\±\±€ýpÿ‡O-[sç­ƒâóè =<¸Î÷²›f ¸?ø9·©MFº–´&…\˽õ »Uoä·]–kºD- ½Š**è\¿ ÂDÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F3!6­ €¿ ÂDÙÑÜ\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq»x8èq0Ï}‡ñº:VÿÿJâD‚ EventDataAÿÿK ΊoData+=OldTargetUserName Aÿÿ9 +=NewTargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList    ReplicatorReplicatorBuiltin (WIN-03DLIIOFRRA$WORKGROUPç-è**8]¿ ÂDÙÑ  «Ö& F1!6 €¿ ÂDÙÑÜ]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ ;2 @Œ0'¿ºW£cZ–!NÿÿBâAÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList Aÿÿ3 %=SamAccountName Aÿÿ+ = SidHistory    ReplicatorBuiltin (WIN-03DLIIOFRRA$WORKGROUPç-Replicator-8**Ø^¿ ÂDÙÑ  «Ö& FÍ!6 €¿ ÂDÙÑÜ^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ (  Remote Desktop UsersBuiltin +WIN-03DLIIOFRRA$WORKGROUPç---Ø**ø_¿ ÂDÙÑ  «Ö& Fí!6­ €¿ ÂDÙÑÜ_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» ((  Remote Desktop UsersRemote Desktop UsersBuiltin +WIN-03DLIIOFRRA$WORKGROUPç-serNø**ø`¿ ÂDÙÑ  «Ö& Fó!6 €¿ ÂDÙÑÜ`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ (  (Remote Desktop UsersBuiltin +WIN-03DLIIOFRRA$WORKGROUPç-Remote Desktop Users-eø**èa¿ ÂDÙÑ  «Ö& Fã!6 €¿ ÂDÙÑÜaMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ >  Network Configuration OperatorsBuiltin ,WIN-03DLIIOFRRA$WORKGROUPç---è** b¿ ÂDÙÑ  «Ö& F!6­ €¿ ÂDÙÑÜbMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» >>  Network Configuration OperatorsNetwork Configuration OperatorsBuiltin ,WIN-03DLIIOFRRA$WORKGROUPç- **(c¿ ÂDÙÑ  «Ö& F!6 €¿ ÂDÙÑÜcMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ >  >Network Configuration OperatorsBuiltin ,WIN-03DLIIOFRRA$WORKGROUPç-Network Configuration Operators-(**Àd¿ ÂDÙÑ  «Ö& F»!6 €¿ ÂDÙÑÜdMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ   Power UsersBuiltin #WIN-03DLIIOFRRA$WORKGROUPç---À**Ðe¿ ÂDÙÑ  «Ö& FÉ!6­ €¿ ÂDÙÑÜeMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq»   Power UsersPower UsersBuiltin #WIN-03DLIIOFRRA$WORKGROUPç-Ð**Øf¿ ÂDÙÑ  «Ö& FÏ!6 €¿ ÂDÙÑÜfMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ   Power UsersBuiltin #WIN-03DLIIOFRRA$WORKGROUPç-Power Users-WOØ**àg¿ ÂDÙÑ  «Ö& F×!6 €¿ ÂDÙÑÜgMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ 2  Performance Monitor UsersBuiltin .WIN-03DLIIOFRRA$WORKGROUPç---n Oà**h¿ ÂDÙÑ  «Ö& F!6­ €¿ ÂDÙÑÜhMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» 22  Performance Monitor UsersPerformance Monitor UsersBuiltin .WIN-03DLIIOFRRA$WORKGROUPç-#**i¿ ÂDÙÑ  «Ö& F!6 €¿ ÂDÙÑÜiMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ 2  2Performance Monitor UsersBuiltin .WIN-03DLIIOFRRA$WORKGROUPç-Performance Monitor Users-7F2**Øj¿ ÂDÙÑ  «Ö& FÏ!6 €¿ ÂDÙÑÜjMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ *  Performance Log UsersBuiltin /WIN-03DLIIOFRRA$WORKGROUPç---Ø**øk¿ ÂDÙÑ  «Ö& Fñ!6­ €¿ ÂDÙÑÜkMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» **  Performance Log UsersPerformance Log UsersBuiltin /WIN-03DLIIOFRRA$WORKGROUPç-rsø**l¿ ÂDÙÑ  «Ö& F÷!6 €¿ ÂDÙÑÜlMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ *  *Performance Log UsersBuiltin /WIN-03DLIIOFRRA$WORKGROUPç-Performance Log Users-L42**Øm¿ ÂDÙÑ  «Ö& FÏ!6 €¿ ÂDÙÑÜmMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ *  Distributed COM UsersBuiltin 2WIN-03DLIIOFRRA$WORKGROUPç---WinØ**øn¿ ÂDÙÑ  «Ö& Fñ!6­ €¿ ÂDÙÑÜnMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» **  Distributed COM UsersDistributed COM UsersBuiltin 2WIN-03DLIIOFRRA$WORKGROUPç-çø**o¿ ÂDÙÑ  «Ö& F÷!6 €¿ ÂDÙÑÜoMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ *  *Distributed COM UsersBuiltin 2WIN-03DLIIOFRRA$WORKGROUPç-Distributed COM Users- Se**Àp¿ ÂDÙÑ  «Ö& F·!6 €¿ ÂDÙÑÜpMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ   IIS_IUSRSBuiltin 8WIN-03DLIIOFRRA$WORKGROUPç---7F2À**Èq¿ ÂDÙÑ  «Ö& FÁ!6­ €¿ ÂDÙÑÜqMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq»   IIS_IUSRSIIS_IUSRSBuiltin 8WIN-03DLIIOFRRA$WORKGROUPç-MÈ**Ðr¿ ÂDÙÑ  «Ö& FÇ!6 €¿ ÂDÙÑÜrMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ   IIS_IUSRSBuiltin 8WIN-03DLIIOFRRA$WORKGROUPç-IIS_IUSRS-Ð**Øs¿ ÂDÙÑ  «Ö& FÓ!6 €¿ ÂDÙÑÜsMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ .  Cryptographic OperatorsBuiltin 9WIN-03DLIIOFRRA$WORKGROUPç---Ø**t¿ ÂDÙÑ  «Ö& Fù!6­ €¿ ÂDÙÑÜtMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» ..  Cryptographic OperatorsCryptographic OperatorsBuiltin 9WIN-03DLIIOFRRA$WORKGROUPç-gn**u¿ ÂDÙÑ  «Ö& Fÿ!6 €¿ ÂDÙÑÜuMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ .  .Cryptographic OperatorsBuiltin 9WIN-03DLIIOFRRA$WORKGROUPç-Cryptographic Operators-**Ðv¿ ÂDÙÑ  «Ö& FÇ!6 €¿ ÂDÙÑÜvMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ "  Event Log ReadersBuiltin =WIN-03DLIIOFRRA$WORKGROUPç---MÐ**èw¿ ÂDÙÑ  «Ö& Fá!6­ €¿ ÂDÙÑÜwMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security x8èq» ""  Event Log ReadersEvent Log ReadersBuiltin =WIN-03DLIIOFRRA$WORKGROUPç-leè**ðx¿ ÂDÙÑ  «Ö& Fç!6 €¿ ÂDÙÑÜxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 õ "  "Event Log ReadersBuiltin =WIN-03DLIIOFRRA$WORKGROUPç-Event Log Readers--Auð** y¿ ÂDÙÑ  «Ö& F!6‚ €¿ ÂDÙÑÜyMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆaDxÆaus³>¡±#rúBŠCþÿÿòâAÿÿ! =Dummy Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList Aÿÿ3 %=SamAccountName Aÿÿ- = DisplayName Aÿÿ9 +=UserPrincipalName Aÿÿ1 #= HomeDirectory Aÿÿ' =HomePath Aÿÿ+ = ScriptPath Aÿÿ- = ProfilePath Aÿÿ7 )=UserWorkstations Aÿÿ5 '=PasswordLastSet Aÿÿ3 %=AccountExpires Aÿÿ3 %=PrimaryGroupId Aÿÿ= /=AllowedToDelegateTo Aÿÿ- = OldUacValue Aÿÿ- = NewUacValue Aÿÿ; -=UserAccountControl Aÿÿ3 %=UserParameters Aÿÿ+ = SidHistory Aÿÿ+ = LogonHours         *     -AdministratorWIN-03DLIIOFRRAÚÔ.›hVdí:ôWIN-03DLIIOFRRA$WORKGROUPç-Administrator%%1793-%%1793%%1793%%1793%%1793%%179311/20/2010 8:57:24 PM%%1794513-0x2110x211-%%1793-%%1797  **øz¿ ÂDÙÑ  «Ö& Fï!6‚ €¿ ÂDÙÑÜzMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆaD        *     -AdministratorWIN-03DLIIOFRRAÚÔ.›hVdí:ôWIN-03DLIIOFRRA$WORKGROUPç-Administrator%%1793-%%1793%%1793%%1793%%1793%%179311/20/2010 8:57:24 PM%%1794513-0x2110x211-%%1793-%%1797ø**¸{¿ ÂDÙÑ  «Ö& F±!6‚ €¿ ÂDÙÑÜ{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆaD                -GuestWIN-03DLIIOFRRAÚÔ.›hVdí:õWIN-03DLIIOFRRA$WORKGROUPç-Guest%%1793-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x2150x215-%%1793-%%1797ȸ**¸|¿ ÂDÙÑ  «Ö& F±!6‚ €¿ ÂDÙÑÜ|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆaD                -GuestWIN-03DLIIOFRRAÚÔ.›hVdí:õWIN-03DLIIOFRRA$WORKGROUPç-Guest%%1793-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x2150x215-%%1793-%%1797vi¸**}Bš&ÂDÙÑ  «Ö& F!1 €Bš&ÂDÙÑÜ}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}Uï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--**à~Bš&ÂDÙÑ  «Ö& FÕ!1@ €Bš&ÂDÙÑÜ~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\}U®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeà**ˆp ÂDÙÑ  «Ö& Fƒ!1( €p ÂDÙÑÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skea`/skbðhP3å'vÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ) = LogonGuid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ5 '=TargetLogonGuid Aÿÿ7 )=TargetServerName Aÿÿ+ = TargetInfo Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhost”C:\Windows\System32\winlogon.exe127.0.0.10iˆ**°€p ÂDÙÑ  «Ö& F©!1 €p ÂDÙÑÜ€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA aUser32 NegotiateWIN-03DLIIOFRRA--”C:\Windows\System32\winlogon.exe127.0.0.103 °**°p ÂDÙÑ  «Ö& F©!1 €p ÂDÙÑÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAYaUser32 NegotiateWIN-03DLIIOFRRA--”C:\Windows\System32\winlogon.exe127.0.0.10HO°**‚p ÂDÙÑ  «Ö& F!1@ €p ÂDÙÑÜ‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA aSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**XƒhW—ÅDÙÑ  «Ö& FM!5ƒ €hW—ÅDÙÑ܃Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ­Ó£Uo­Ó£¤ðõ „11<ª—ÿÿâAÿÿ= /=DomainPolicyChanged Aÿÿ+ = DomainName Aÿÿ) = DomainSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList Aÿÿ3 %=MinPasswordAge Aÿÿ3 %=MaxPasswordAge Aÿÿ- = ForceLogoff Aÿÿ7 )=LockoutThreshold AÿÿG 9=LockoutObservationWindow Aÿÿ5 '=LockoutDuration Aÿÿ; -=PasswordProperties Aÿÿ9 +=MinPasswordLength AÿÿA 3=PasswordHistoryLength Aÿÿ= /=MachineAccountQuota Aÿÿ5 '=MixedDomainMode AÿÿA 3=DomainBehaviorVersion Aÿÿ3 %=OemInformation Password PolicyWIN-03DLIIOFRRAÚÔ.›hVdí:ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA a------000-MX**(„hW—ÅDÙÑ  «Ö& F!5ƒ €hW—ÅDÙÑÜ„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ­Ó£UoLogoff PolicyWIN-03DLIIOFRRAÚÔ.›hVdí:ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA a-------------- Se(**p…&¶ÇDÙÑ  «Ö& Fk!1 €&¶ÇDÙÑÜ…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--Rp**ˆ†&¶ÇDÙÑ  «Ö& Fƒ!1@ €&¶ÇDÙÑ܆Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**p‡Y•ŸÏDÙÑ  «Ö& Fk!1 €Y•ŸÏDÙÑÜH‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--p**ˆˆY•ŸÏDÙÑ  «Ö& Fƒ!1@ €Y•ŸÏDÙÑÜHˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeOˆ**p‰X¤ÏDÙÑ  «Ö& Fk!1 €X¤ÏDÙÑ܉Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--cp**ˆŠX¤ÏDÙÑ  «Ö& Fƒ!1@ €X¤ÏDÙÑÜŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegevˆ**ЋÏç£ÓDÙÑ  «Ö& FÅ!5( €Ïç£ÓDÙÑÜ‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY½Š ëYã™O“Oªß®@ÚÿÿÎâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ5 '=AuditSourceName Aÿÿ1 #= EventSourceId Aÿÿ) = ProcessId Aÿÿ- = ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÅÁ$ C:\Windows\System32\VSSVC.exeUTHOÐ**ØŒÏç£ÓDÙÑ  «Ö& FÓ!5) €Ïç£ÓDÙÑÜŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY½Š  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÅÁ$ C:\Windows\System32\VSSVC.exe Ø**p¢ƒWÕDÙÑ  «Ö& Fk!1 €¢ƒWÕDÙÑÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--mp**ˆŽ¢ƒWÕDÙÑ  «Ö& Fƒ!1@ €¢ƒWÕDÙÑÜŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØÐëGafÙÑ  «Ö& FÓ!0 €ÐëGafÙÑ8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…]– ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != PreviousTime Aÿÿ% =NewTime Aÿÿ) = ProcessId Aÿÿ- = ProcessName   bWIN-03DLIIOFRRA$WORKGROUPçOh!ÚDÙÑÐëGafÙÑÐ C:\Program Files\VMware\VMware Tools\vmtoolsd.exeØ**px¶‘afÙÑ  «Ö& Fk!1 €x¶‘afÙÑÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÈC:\Windows\System32\services.exe--p**ˆ‘x¶‘afÙÑ  «Ö& Fƒ!1@ €x¶‘afÙÑÜ‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege=ˆ**8’’:vbfÙÑ  «Ö& F1 !0 €’:vbfÙÑÜ’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security §8C›- §8C›qyV&1HK#|/âÿÿÖâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName AÿÿA 3=SubjectUserDomainName Aÿÿ3 %=SubjectLogonId  Aÿÿ? 1=ObjectCollectionName AÿÿM ?=ObjectIdentifyingProperties Aÿÿ7 )=ObjectProperties    Ôä SYSTEMNT AUTHORITYçApplications ID = {E2895B02-7EB7-4F0D-8A01-F5BF32F3023F} AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70} Name = VMware Snapshot Provider ApplicationProxyServerName = ProcessType = 2 CommandLine = ServiceName = RunAsUserType = 1 Identity = Interactive User Description = VMware Snapshot Provider IsSystem = N Authentication = 6 ShutdownAfter = 3 RunForever = N Password = ******** Activation = Local Changeable = Y Deleteable = Y CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 0 cCOL_SecurityDescriptor = <Opaque> ImpersonationLevel = 2 AuthenticationCapability = 2 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0 QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile = DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath = %systemroot%\system32\com\dmp IsEnabled = 1 ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit = 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory = SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable = 1W8**`“—PœbfÙÑ  «Ö& FU!0 €—PœbfÙÑÜ“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security §8C›-    ˜LSYSTEMNT AUTHORITYçRoles ApplId = {E2895B02-7EB7-4F0D-8A01-F5BF32F3023F} Name = Administrators Description = Administrators groupN-03`**h”Z´bfÙÑ  «Ö& F_!0 €Z´bfÙÑÜ”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security §8C›-    ÎSYSTEMNT AUTHORITYçUsersInRole ApplId = {E2895B02-7EB7-4F0D-8A01-F5BF32F3023F} Name = Administrators User = .\Administrators <null>3DLh**P•Z´bfÙÑ  «Ö& FK!0 €Z´bfÙÑÜ•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security §8C›-    ºSYSTEMNT AUTHORITYçUsersInRole ApplId = {E2895B02-7EB7-4F0D-8A01-F5BF32F3023F} Name = Administrators User = SYSTEM <null>RP**à–9{ÃcfÙÑ ê@S–´ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $9·m5DUserData! u!gL @9{ÃcfÙÑ°– T3[ä·T3[ÓˆY}É*ë•ÄlJAÿÿ> ¸«'ServiceShutdown F<¸Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**P—üª}nfÙÑ  «Ö& F9!0 €üª}nfÙѰܬ(,—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîkºeaÝ&ÎîË|Ö Žp)·cîÿÿâ0P**˜\ €nfÙÑ  «Ö& Fõ!1 €\ €nfÙѰܬ(,˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U  --SYSTEMNT AUTHORITYç-------”I¥º>**șݑ‰nfÙÑ  «Ö& F¯!5& €Ý‘‰nfÙѰܬ(`™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ˽ºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId &ºegÈ**˜šâ§¯nfÙÑ  «Ö& F!1 €â§¯nfÙѰܬ(pšMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ›â§¯nfÙÑ  «Ö& F…!1@ €â§¯nfÙѰܬ(p›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeÙÑ€x **¨œDÅnfÙÑ  «Ö& F‘!1 €DÅnfÙѰܬ(pœMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--¨**(DÅnfÙÑ  «Ö& F !1@ €DÅnfÙѰܬ(pMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeleg(**¨ž×ÉnfÙÑ  «Ö& F!1 €×ÉnfÙѰܬ(pžMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--YST¨** Ÿ×ÉnfÙÑ  «Ö& F !1@ €×ÉnfÙѰܬ(pŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeA **˜ &ûÐnfÙÑ  «Ö& F!1 €&ûÐnfÙѰܬ(p Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ¡&ûÐnfÙÑ  «Ö& F…!1@ €&ûÐnfÙѰܬ(p¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeLOC **˜¢&ûÐnfÙÑ  «Ö& F!1 €&ûÐnfÙѰܬ(p¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** £&ûÐnfÙÑ  «Ö& F…!1@ €&ûÐnfÙѰܬ(p£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeleg **˜¤«–ofÙÑ  «Ö& F!1 €«–ofÙѰܬ(l¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--TE˜** ¥«–ofÙÑ  «Ö& F…!1@ €«–ofÙѰܬ(l¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Se **€¦Œ} ofÙÑ  «Ö& Fe!1( €Œ} ofÙѰܬ(t¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skea "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostôC:\Windows\System32\winlogon.exe127.0.0.10ity€**اŒ} ofÙÑ  «Ö& F½!1 €Œ} ofÙѰܬ(t§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,gUser32 NegotiateWIN-03DLIIOFRRA--ôC:\Windows\System32\winlogon.exe127.0.0.10!Ø**بŒ} ofÙÑ  «Ö& F½!1 €Œ} ofÙѰܬ(t¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAfgUser32 NegotiateWIN-03DLIIOFRRA--ôC:\Windows\System32\winlogon.exe127.0.0.10+Ø** ©Œ} ofÙÑ  «Ö& F!1@ €Œ} ofÙѰܬ(t©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,gSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege €¿  **(ª­¡ofÙÑ  «Ö& F!0© €­¡ofÙѰܬ4ªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîkºRO(**(«ÐÐ-ofÙÑ  «Ö& F!0  €ÐÐ-ofÙѰܬ(p«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îîkºec(**@¬ønofÙÑ  «Ö& F'!1 €ønofÙÑ\Reg(l¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    --ANONYMOUS LOGONNT AUTHORITY¡ðNtLmSsp NTLM-NTLM V1----0@**˜­[®ofÙÑ  «Ö& F!1 €[®ofÙÑ\Reg(l­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Mi˜** ®[®ofÙÑ  «Ö& F…!1@ €[®ofÙÑ\Reg(l®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeecu **p¯«BÅpfÙÑ  «Ö& Fk!1 €«BÅpfÙÑ(p¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--'p**ˆ°«BÅpfÙÑ  «Ö& Fƒ!1@ €«BÅpfÙÑ(p°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«…\  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegepˆ**p±âD sfÙÑ  «Ö& Fk!1 €âD sfÙÑ(p±Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ}U    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p  «Öî~  «Ö&6­ €¿ 1@ €âD sfÙÑ(pElfChnk²²€(ûhýPŸÕÃþ*àÇâóè =üÅÎ÷²›fËÅ?øùÄ©MFºVÂ&Å ‹Ë¤Åýv}$U¶Sø+È(ÍO**¸ ²âD sfÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F!1@ €âD sfÙÑ(p²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»®x«C‚Å“Â-žhÿÿ\âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegety¸ **³CR–·fÙÑ  «Ö& F!1 €CR–·fÙÑ(p³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ »ï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--IO**ˆ´CR–·fÙÑ  «Ö& Fƒ!1@ €CR–·fÙÑ(p´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegetˆ**HµWñ~TgÙÑ  «Ö& FC!6x €Wñ~TgÙÑ(Ä µMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀU8+LÀ ˜$BŽâ)½€òKDÿÿ8âAÿÿ+ = MemberName Aÿÿ) = MemberSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList  -ÚÔ.›hVdí:éNoneWIN-03DLIIOFRRAÚÔ.›hVdí:ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,g-H**à¶Wñ~TgÙÑ  «Ö& FÕ!6p €Wñ~TgÙÑ(Ä ¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security vÜvÜ ZNî`øl7жÖÿÿÊâAÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList Aÿÿ3 %=SamAccountName Aÿÿ- = DisplayName Aÿÿ9 +=UserPrincipalName Aÿÿ1 #= HomeDirectory Aÿÿ' =HomePath Aÿÿ+ = ScriptPath Aÿÿ- = ProfilePath Aÿÿ7 )=UserWorkstations Aÿÿ5 '=PasswordLastSet Aÿÿ3 %=AccountExpires Aÿÿ3 %=PrimaryGroupId Aÿÿ= /=AllowedToDelegateTo Aÿÿ- = OldUacValue Aÿÿ- = NewUacValue Aÿÿ; -=UserAccountControl Aÿÿ3 %=UserParameters Aÿÿ+ = SidHistory Aÿÿ+ = LogonHours           <  archirWIN-03DLIIOFRRAÚÔ.›hVdí:éÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,g-archir%%1793-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x00x15 %%2080 %%2082 %%2084%%1793-%%1797x8èq»à**ˆ·Wñ~TgÙÑ  «Ö& F!6r €Wñ~TgÙÑ(Ä ·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security p!ˆ}$p!ˆ ¯­}9Žw´§ªÿÿžâAÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId  archirWIN-03DLIIOFRRAÚÔ.›hVdí:éÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,gˆ** ¸Wñ~TgÙÑ  «Ö& F!6‚ €Wñ~TgÙÑ(Ä ¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆa(xÆaus³>¡±#rúBŠCþÿÿòâAÿÿ! =Dummy Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList Aÿÿ3 %=SamAccountName Aÿÿ- = DisplayName Aÿÿ9 +=UserPrincipalName Aÿÿ1 #= HomeDirectory Aÿÿ' =HomePath Aÿÿ+ = ScriptPath Aÿÿ- = ProfilePath Aÿÿ7 )=UserWorkstations Aÿÿ5 '=PasswordLastSet Aÿÿ3 %=AccountExpires Aÿÿ3 %=PrimaryGroupId Aÿÿ= /=AllowedToDelegateTo Aÿÿ- = OldUacValue Aÿÿ- = NewUacValue Aÿÿ; -=UserAccountControl Aÿÿ3 %=UserParameters Aÿÿ+ = SidHistory Aÿÿ+ = LogonHours            <  -archirWIN-03DLIIOFRRAÚÔ.›hVdí:éÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,g-archirarchir-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x150x210 %%2048 %%2050 %%2089%%1793-%%1797OUP **ع·RTgÙÑ  «Ö& FÍ!6| €·RTgÙÑ(Ä ¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀU  -ÚÔ.›hVdí:éUsersBuiltin !ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,g-PçØ**@º´ƒTgÙÑ  «Ö& F7!6‚ €´ƒTgÙÑ(Ä ºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆa( -archirWIN-03DLIIOFRRAÚÔ.›hVdí:éÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,g-------------------@**À»ØvˆTgÙÑ  «Ö& F¹!6‚ €ØvˆTgÙÑ(Ä »Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security xÆa(              -archirWIN-03DLIIOFRRAÚÔ.›hVdí:éÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA,g-archirarchir-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x2100x210-%%1793-%%1797IIÀ**p¼–N÷^gÙÑ  «Ö& Fk!1 €–N÷^gÙÑ(Ä ¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ½–N÷^gÙÑ  «Ö& Fƒ!1@ €–N÷^gÙÑ(Ä ½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p¾½ª!„gÙÑ  «Ö& Fk!1 €½ª!„gÙÑ(Ä ¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ¿½ª!„gÙÑ  «Ö& Fƒ!1@ €½ª!„gÙÑ(Ä ¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegevˆ**pÀ­¡ß9hÙÑ  «Ö& Fk!1 €­¡ß9hÙÑ(pÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÁ­¡ß9hÙÑ  «Ö& Fƒ!1@ €­¡ß9hÙÑ(pÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegetˆ**pÂndä9hÙÑ  «Ö& Fk!1 €ndä9hÙÑ(@ ÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ip**ˆÃndä9hÙÑ  «Ö& Fƒ!1@ €ndä9hÙÑ(@ ÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege4ˆ**ÐÄ„ÔÏ;(à Security  ëYÍO ëYã™O“Oªß®@ÚÿÿÎâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ5 '=AuditSourceName Aÿÿ1 #= EventSourceId Aÿÿ) = ProcessId Aÿÿ- = ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit^k¤ C:\Windows\System32\VSSVC.exe-AudÐ**ØÅ„ÔÏ;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit^k¤ C:\Windows\System32\VSSVC.exe9Ø**pƵ*êWhÙÑ  «Ö& Fk!1 €µ*êWhÙÑ( ÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆǵ*êWhÙÑ  «Ö& Fƒ!1@ €µ*êWhÙÑ( ÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege@ˆ**pÈåYhÙÑ  «Ö& Fk!1 €åYhÙÑ(@ ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--jp**ˆÉåYhÙÑ  «Ö& Fƒ!1@ €åYhÙÑ(@ ÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÊ“™•hÙÑ  «Ö& Fk!1 €“™•hÙÑ( ÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆË“™•hÙÑ  «Ö& Fƒ!1@ €“™•hÙÑ( ËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÌIp‹ÀiÙÑ  «Ö& Fk!1 €Ip‹ÀiÙÑ(PÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÍIp‹ÀiÙÑ  «Ö& Fƒ!1@ €Ip‹ÀiÙÑ(PÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÎ 3ÀiÙÑ  «Ö& Fk!1 € 3ÀiÙÑ(pÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÏ 3ÀiÙÑ  «Ö& Fƒ!1@ € 3ÀiÙÑ(pÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØÐs ÃiÙÑ  «Ö& FÓ!5( €s ÃiÙÑ(° ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditAe1`C:\Windows\System32\VSSVC.exeØ**ØÑs ÃiÙÑ  «Ö& FÓ!5) €s ÃiÙÑ(° ÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditAe1`C:\Windows\System32\VSSVC.exeØ**PÒÞZmÃiÙÑ  «Ö& FI!5+ €ÞZmÃiÙÑ(8ÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bývTØ®b¨ãb]Áh˺‘~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   ¤ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\de5a6dc369d9d10186000000140f900d.desktop.ini S:ARAIC:\Windows\servicing\TrustedInstaller.exeP**ÓuN5ÄiÙÑ  «Ö& F…!5+ €uN5ÄiÙÑ(8ÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  <FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\telnet.exeÈS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)C:\Windows\servicing\TrustedInstaller.exe** ÔÕ¯7ÄiÙÑ  «Ö& F™!5+ €Õ¯7ÄiÙÑ(8ÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  PFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\telnet.exe.mui S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)C:\Windows\servicing\TrustedInstaller.exe **ÐÕ5:ÄiÙÑ  «Ö& FË!5+ €5:ÄiÙÑ(8ÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  ‚FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\spp\tokens\ppdlic\Telnet-Client-ppdlic.xrm-msÄS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)C:\Windows\servicing\TrustedInstaller.exeÐ**¸Ö®ë ÅiÙÑ  «Ö& F³!5+ €®ë ÅiÙÑ(8ÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  ¤ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\4e8a0bc569d9d1010a010000140f900d.desktop.iniÄ S:ARAIC:\Windows\servicing\TrustedInstaller.exe¸**¸×ýuŽÅiÙÑ  «Ö& F³!5+ €ýuŽÅiÙÑ(8×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  ¤ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\fd758ec569d9d1018b010000140f900d.desktop.iniÔ S:ARAIC:\Windows\servicing\TrustedInstaller.exe¸**pØþ)òljÙÑ  «Ö& Fk!1 €þ)òljÙÑ(ôØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÙþ)òljÙÑ  «Ö& Fƒ!1@ €þ)òljÙÑ(ôÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÚ?¨™tjÙÑ  «Ö& Fk!1 €?¨™tjÙÑ(„ ÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÛ?¨™tjÙÑ  «Ö& Fƒ!1@ €?¨™tjÙÑ(„ ÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pܵî~jÙÑ  «Ö& Fk!1 €µî~jÙÑ(pÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆݵî~jÙÑ  «Ö& Fƒ!1@ €µî~jÙÑ(pÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØÞ\ÿâƒjÙÑ  «Ö& FÓ!5( €\ÿâƒjÙÑ(P ÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudití†;üC:\Windows\System32\VSSVC.exeØ**Øß}MãƒjÙÑ  «Ö& FÓ!5) €}MãƒjÙÑ(P ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudití†;üC:\Windows\System32\VSSVC.exeØ**Øàxj@ÄjÙÑ  «Ö& FÓ!5( €xj@ÄjÙÑ(PàMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit–šBüC:\Windows\System32\VSSVC.exeØ**Øáxj@ÄjÙÑ  «Ö& FÓ!5) €xj@ÄjÙÑ(PáMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit–šBüC:\Windows\System32\VSSVC.exeØ**ØâzæØjÙÑ  «Ö& FÓ!5( €zæØjÙÑ( âMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditöÅFüC:\Windows\System32\VSSVC.exeØ**ØãzæØjÙÑ  «Ö& FÓ!5) €zæØjÙÑ( ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditöÅFüC:\Windows\System32\VSSVC.exeØ**pä‚“{ÙjÙÑ  «Ö& Fk!1 €‚“{ÙjÙÑ(P äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆå‚“{ÙjÙÑ  «Ö& Fƒ!1@ €‚“{ÙjÙÑ(P åMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØæÈø¨éjÙÑ  «Ö& FÓ!5( €Èø¨éjÙÑ(P æMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditE”KüC:\Windows\System32\VSSVC.exeØ**ØçÈø¨éjÙÑ  «Ö& FÓ!5) €Èø¨éjÙÑ(P çMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÍO  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditE”KüC:\Windows\System32\VSSVC.exeØ**pè§@1îjÙÑ  «Ö& Fk!1 €§@1îjÙÑ(pèMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆé§@1îjÙÑ  «Ö& Fƒ!1@ €§@1îjÙÑ(péMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆêo$:kÙÑ  «Ö& F!1' €o$:kÙÑ(Ô êMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NU¶-{NŽ¯EßÄ•34èɦúÿÿîâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAfgˆ**xë²D:kÙÑ  «Ö& Fq!5+ €²D:kÙÑ(8ëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\telnet.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)°C:\Windows\System32\poqexec.exex**ì²D:kÙÑ  «Ö& F…!5+ €²D:kÙÑ(8ìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\telnet.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)°C:\Windows\System32\poqexec.exe**Àí²D:kÙÑ  «Ö& F·!5+ €²D:kÙÑ(8íMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\spp\tokens\ppdlic\Telnet-Client-ppdlic.xrm-msS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)°C:\Windows\System32\poqexec.exeÀ**˜î>ê:kÙÑ  «Ö& F!5+ €>ê:kÙÑ(8îMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®býv  ˜>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.iniS:AI°C:\Windows\System32\poqexec.exe˜**àï¿ ËÅ«'ServiceShutdown FüÅNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**PðF.GkÙÑ  «Ö& F9!0 €F.GkÙÑ> @9K $ðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî+ÈÝ&ÎîË|Ö Žp)·cîÿÿâP**ñF.GkÙÑ  «Ö& Fõ!1 €F.GkÙÑ> @9K $ñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ   --SYSTEMNT AUTHORITYç-------**ÈòÃ2GkÙÑ  «Ö& F¯!5& €Ã2GkÙÑ> @9K TòMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ‹ËUºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId ¾ºÈ**˜ó¨lCGkÙÑ  «Ö& F!1 €¨lCGkÙÑ> @9K PóMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ô¨lCGkÙÑ  «Ö& F…!1@ €¨lCGkÙÑ> @9K PôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨õê´QGkÙÑ  «Ö& F‘!1 €ê´QGkÙÑ> @9K PõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--¨**(öê´QGkÙÑ  «Ö& F !1@ €ê´QGkÙÑ> @9K PöMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨÷ªwVGkÙÑ  «Ö& F!1 €ªwVGkÙÑ> @9K P÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--¨** øªwVGkÙÑ  «Ö& F !1@ €ªwVGkÙÑ> @9K PøMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ùk:[GkÙÑ  «Ö& F!1 €k:[GkÙÑ> @9K PùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** úk:[GkÙÑ  «Ö& F…!1@ €k:[GkÙÑ> @9K PúMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ûk:[GkÙÑ  «Ö& F!1 €k:[GkÙÑ> @9K PûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ük:[GkÙÑ  «Ö& F…!1@ €k:[GkÙÑ> @9K PüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ýL!gGkÙÑ  «Ö& F!1 €L!gGkÙÑ> @9K `ýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** þL!gGkÙÑ  «Ö& F…!1@ €L!gGkÙÑ> @9K `þMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ÿvqºGkÙÑ  «Ö& F!1 €vqºGkÙÑ> @9K PÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** vqºGkÙÑ  «Ö& F…!1@ €vqºGkÙÑ> @9K PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **(÷öÃGkÙÑ  «Ö& F!0© €÷öÃGkÙÑ> @9K,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî+È(**(™ ÔGkÙÑ  «Ö& F!0  €™ ÔGkÙÑ\Reg PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî+È(**ð`µCHkÙÑ  «Ö& FÕ!0 €`µCHkÙÑ\Reg0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Sø ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != PreviousTime Aÿÿ% =NewTime Aÿÿ) = ProcessId Aÿÿ- = ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPç)scHkÙÑ`µCHkÙѤC:\Program Files\VMware\VMware Tools\vmtoolsd.exeð**@!xHHkÙÑ  «Ö& F'!1 €!xHHkÙÑ\Reg `Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ     --ANONYMOUS LOGONNT AUTHORITYØÖNtLmSsp NTLM-NTLM V1---@  «Ö& F!1 €BœOHkÙÑ\Reg PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÅ  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜ElfChnk]]€(û°þÙ¬4àhüâóè =|6Î÷²›fK6?øy5©MFºÖ2&£>$6«8ûgC;**è BœOHkÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F/!1 €BœOHkÙÑ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»ï:ÚÁ¹öǬr›fË8(¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Aÿÿ1è **ðBœOHkÙÑ  «Ö& F×!1@ €BœOHkÙÑ\Reg PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeR–·ð**p9ñIkÙÑ  «Ö& Fk!1 €9ñIkÙÑ dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--gp**ˆ9ñIkÙÑ  «Ö& Fƒ!1@ €9ñIkÙÑ dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆ ¤‰{IkÙÑ  «Ö& Fƒ!1( €¤‰{IkÙÑ P Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÝ`/skbðhP3å'vÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ) = LogonGuid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ5 '=TargetLogonGuid Aÿÿ7 )=TargetServerName Aÿÿ+ = TargetInfo Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostìC:\Windows\System32\winlogon.exe127.0.0.10=ˆ**° ¤‰{IkÙÑ  «Ö& F©!1 €¤‰{IkÙÑ P Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAºRUser32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10U°**° ¤‰{IkÙÑ  «Ö& F©!1 €¤‰{IkÙÑ P Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA"SUser32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10°** ¤‰{IkÙÑ  «Ö& F!1@ €¤‰{IkÙÑ P Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAºRSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege:**p V‘ZMkÙÑ  «Ö& Fk!1 €V‘ZMkÙÑ P Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Sp**ˆV‘ZMkÙÑ  «Ö& Fƒ!1@ €V‘ZMkÙÑ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeTˆ**p‘0wlÙÑ  «Ö& Fk!1 €‘0wlÙÑ @Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--cp**ˆ‘0wlÙÑ  «Ö& Fƒ!1@ €‘0wlÙÑ @Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeyˆ**ày8Å2mÙÑ ê@SÖ2ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $y5m5DUserData! u!gL @y8Å2mÙÑTÈ  T3[$6T3[ÓˆY}É*ë•ÄlJAÿÿ>K6«'ServiceShutdown F|6Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜Qó„2mÙÑ  «Ö& F!1' €Qó„2mÙÑ\Reg @Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N«8-{NŽ¯EßÄ•34èɦúÿÿîâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA"Sud˜**P…½ñ;mÙÑ  «Ö& F9!0 €…½ñ;mÙÑ`ß\(,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîC;ÝÝ&ÎîË|Ö Žp)·cîÿÿâgP**…½ñ;mÙÑ  «Ö& Fõ!1 €…½ñ;mÙÑ`ß\(,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç-------ft-**È'g;(à Security ºìÇ£>ºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId ›È*È**˜=ÕÀ;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--st˜** =ÕÀ;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨ÿ¢Ø;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--e¨**(ÿ¢Ø;(à Security ®x«  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeRA$(**¨ Çß;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe-- ¨**  Çß;(à Security ®x« œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜Aëæ;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--am˜** Aëæ;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege¥º>; **˜¡Lé;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- ˜** ¡Lé;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€ q\s=mÙÑ  «Ö& Fe!1( €q\s=mÙÑ\Reg(p Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÝ "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostìC:\Windows\System32\winlogon.exe127.0.0.10TEM€**Ø!q\s=mÙÑ  «Ö& F½!1 €q\s=mÙÑ\Reg(p!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÙñUser32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10(Ø**Ø"q\s=mÙÑ  «Ö& F½!1 €q\s=mÙÑ\Reg(p"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA òUser32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10SecØ** #q\s=mÙÑ  «Ö& F!1@ €q\s=mÙÑ\Reg(p#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÙñSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeÙÑ( **ð$Ê=mÙÑ  «Ö& FÕ!0 €Ê=mÙÑ\Reg4$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ûg ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != PreviousTime Aÿÿ% =NewTime Aÿÿ) = ProcessId Aÿÿ- = ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPç=ã=mÙÑÊ=mÙÑ8C:\Program Files\VMware\VMware Tools\vmtoolsd.exenerð**@%RWØ=mÙÑ  «Ö& F'!1 €RWØ=mÙÑ\Reg(p%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    --ANONYMOUS LOGONNT AUTHORITYN¢NtLmSsp NTLM-NTLM V1---cu@**˜&7T >mÙÑ  «Ö& F!1 €7T >mÙÑ\Reg(P&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-->;˜** '7T >mÙÑ  «Ö& F…!1@ €7T >mÙÑ\Reg(P'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege  **p(m'?mÙÑ  «Ö& Fk!1 €m'?mÙÑ(t(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--\p**ˆ)m'?mÙÑ  «Ö& Fƒ!1@ €m'?mÙÑ(t)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p*v+ BmÙÑ  «Ö& Fk!1 €v+ BmÙÑ(t*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ+v+ BmÙÑ  «Ö& Fƒ!1@ €v+ BmÙÑ(t+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeFˆ**À,ØJmÙÑ ê@SÖ2 !gL @ØJmÙÑdt, T3[$6RPCRÀ**ˆ-AÓ¤ImÙÑ  «Ö& Fm!1' €AÓ¤ImÙÑ\Reg(`-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N«8  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA ò®bývˆ**(.€SmÙÑ  «Ö& F!0 €€SmÙÑpÝr $.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîC;AI(**/€SmÙÑ  «Ö& Fõ!1 €€SmÙÑpÝr $/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç-------ORK**@0ÂWSmÙÑ  «Ö& F#!5& €ÂWSmÙÑpÝr X0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ£>ÿÎxe@**˜1"¹SmÙÑ  «Ö& F!1 €"¹SmÙÑpÝr |1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--te˜** 2"¹SmÙÑ  «Ö& F…!1@ €"¹SmÙÑpÝr |2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegex«» **¨3„%'SmÙÑ  «Ö& F‘!1 €„%'SmÙÑpÝr P3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--¨**(4„%'SmÙÑ  «Ö& F !1@ €„%'SmÙÑpÝr P4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeerv(**¨5¥I.SmÙÑ  «Ö& F!1 €¥I.SmÙÑpÝr P5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe-- ¨** 6¥I.SmÙÑ  «Ö& F !1@ €¥I.SmÙÑpÝr P6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜7‡0:SmÙÑ  «Ö& F!1 €‡0:SmÙÑpÝr P7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--HO˜** 8‡0:SmÙÑ  «Ö& F…!1@ €‡0:SmÙÑpÝr P8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeORK **˜9‡0:SmÙÑ  «Ö& F!1 €‡0:SmÙÑpÝr P9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** :‡0:SmÙÑ  «Ö& F…!1@ €‡0:SmÙÑpÝr P:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€;uY¸SmÙÑ  «Ö& Fe!1( €uY¸SmÙÑ\Reg €;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÝ "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostèC:\Windows\System32\winlogon.exe127.0.0.10%–„Tx€**Ø<uY¸SmÙÑ  «Ö& F½!1 €uY¸SmÙÑ\Reg €<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÕUser32 NegotiateWIN-03DLIIOFRRA--èC:\Windows\System32\winlogon.exe127.0.0.10AØ**Ø=uY¸SmÙÑ  «Ö& F½!1 €uY¸SmÙÑ\Reg €=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÂÕUser32 NegotiateWIN-03DLIIOFRRA--èC:\Windows\System32\winlogon.exe127.0.0.10rPrØ** >uY¸SmÙÑ  «Ö& F!1@ €uY¸SmÙÑ\Reg €>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÕSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeç **@?ÂØ%TmÙÑ  «Ö& F'!1 €ÂØ%TmÙÑ\Reg |?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    --ANONYMOUS LOGONNT AUTHORITY=PNtLmSsp NTLM-NTLM V1---@**˜@„¦=TmÙÑ  «Ö& F!1 €„¦=TmÙÑ\Reg h@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Mi˜** A„¦=TmÙÑ  «Ö& F…!1@ €„¦=TmÙÑ\Reg hAMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeind **˜BŸ*"UmÙÑ  «Ö& F!1 €Ÿ*"UmÙÑ\Reg |BMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--cu˜** CŸ*"UmÙÑ  «Ö& F…!1@ €Ÿ*"UmÙÑ\Reg |CMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege.mu **pD«U|YmÙÑ  «Ö& Fk!1 €«U|YmÙÑ PDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--pp**ˆE«U|YmÙÑ  «Ö& Fƒ!1@ €«U|YmÙÑ PEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ÀF±é™(nÙÑ ê@SÖ2 !gL @±é™(nÙÑLLF T3[$6s/eÀ**ˆGŒ¯l(nÙÑ  «Ö& Fm!1' €Œ¯l(nÙÑ\Reg GMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N«8  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÂÕFΈ**(H%@Î^nÙÑ  «Ö& F!0 €%@Î^nÙÑ Ý^$(HMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîC; (**I%@Î^nÙÑ  «Ö& Fõ!1 €%@Î^nÙÑ Ý^$(IMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç------- **@JfˆÜ^nÙÑ  «Ö& F#!5& €fˆÜ^nÙÑ Ý^$\JMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ£>ÏGkÙÑ>@**˜KÇéÞ^nÙÑ  «Ö& F!1 €ÇéÞ^nÙÑ Ý^$`KMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- º˜** LÇéÞ^nÙÑ  «Ö& F…!1@ €ÇéÞ^nÙÑ Ý^$`LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨Mêù^nÙÑ  «Ö& F‘!1 €êù^nÙÑ Ý^$`MMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--S¨**(Nêù^nÙÑ  «Ö& F !1@ €êù^nÙÑ Ý^$`NMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeN-0(**¨Okž_nÙÑ  «Ö& F!1 €kž_nÙÑ Ý^$|OMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--Se¨** Pkž_nÙÑ  «Ö& F !1@ €kž_nÙÑ Ý^$|PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeW **˜Qì# _nÙÑ  «Ö& F!1 €ì# _nÙÑ Ý^$|QMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--OR˜** Rì# _nÙÑ  «Ö& F…!1@ €ì# _nÙÑ Ý^$|RMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜SL…_nÙÑ  «Ö& F!1 €L…_nÙÑ Ý^$|SMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--le˜** TL…_nÙÑ  «Ö& F…!1@ €L…_nÙÑ Ý^$|TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x« &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€U?IJ_nÙÑ  «Ö& Fe!1( €?IJ_nÙÑ\Reg$HUMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÝ "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostðC:\Windows\System32\winlogon.exe127.0.0.10 Se€**ØV?IJ_nÙÑ  «Ö& F½!1 €?IJ_nÙÑ\Reg$HVMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA˜User32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10 NØ**ØW?IJ_nÙÑ  «Ö& F½!1 €?IJ_nÙÑ\Reg$HWMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA{User32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10LoaØ** X?IJ_nÙÑ  «Ö& F!1@ €?IJ_nÙÑ\Reg$HXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA˜SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeSYST **@YÇjõ_nÙÑ  «Ö& F'!1 €Çjõ_nÙÑ\Reg$|YMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    --ANONYMOUS LOGONNT AUTHORITY€]NtLmSsp NTLM-NTLM V1---eA@**pZOebnÙÑ  «Ö& Fk!1 €OebnÙÑ$HZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ[OebnÙÑ  «Ö& Fƒ!1@ €OebnÙÑ$H[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p\÷^ÅcnÙÑ  «Ö& Fk!1 €÷^ÅcnÙÑ$H\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ]÷^ÅcnÙÑ  «Ö& Fƒ!1@ €÷^ÅcnÙÑ$H]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ  «Ö& F1 €<… hnÙÑ$H^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»\System32\services.exe--˜ElfChnk^¹^¹€0üØþ ÐóTcÿ`âóè =”Î÷²›fc?ø‘©MFºî&õ»<Ã;KÃ<**è ^<… hnÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F/!1 €<… hnÙÑ$H^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»ï:ÚÁ¹öǬr›fË8(¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Aÿÿ1è **à_<… hnÙÑ  «Ö& FÕ!1@ €<… hnÙÑ$H_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ»®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegerivià**à`-¬t pÙÑ ê@Sîê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $‘m5DUserData! u!gL @-¬t pÙÑ@ ` T3[<T3[ÓˆY}É*ë•ÄlJAÿÿ>c«'ServiceShutdown F”Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜a¦2 pÙÑ  «Ö& F!1' €¦2 pÙÑ\Reg$d aMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÃ-{NŽ¯EßÄ•34èɦúÿÿîâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA{˜**Pbvª™pÙÑ  «Ö& F9!0 €vª™pÙÑpÞy$(bMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[Ý&ÎîË|Ö Žp)·cîÿÿâP**cvª™pÙÑ  «Ö& Fõ!1 €vª™pÙÑpÞy$(cMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç-------**Èd÷/£pÙÑ  «Ö& F¯!5& €÷/£pÙÑpÞy$XdMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ»ºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId jÎÈ**˜eW‘¥pÙÑ  «Ö& F!1 €W‘¥pÙÑpÞy$HeMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** fW‘¥pÙÑ  «Ö& F…!1@ €W‘¥pÙÑpÞy$HfMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨gù:¶pÙÑ  «Ö& F‘!1 €ù:¶pÙÑpÞy$HgMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--¨**(hù:¶pÙÑ  «Ö& F !1@ €ù:¶pÙÑpÞy$HhMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨i_½pÙÑ  «Ö& F!1 €_½pÙÑpÞy$HiMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--¨** j_½pÙÑ  «Ö& F !1@ €_½pÙÑpÞy$HjMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜k;ƒÄpÙÑ  «Ö& F!1 €;ƒÄpÙÑpÞy$TkMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** l;ƒÄpÙÑ  «Ö& F…!1@ €;ƒÄpÙÑpÞy$TlMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜m›äÆpÙÑ  «Ö& F!1 €›äÆpÙÑpÞy$dmMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** n›äÆpÙÑ  «Ö& F…!1@ €›äÆpÙÑpÞy$dnMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨orpÙÑ  «Ö& F‘!1( €rpÙÑpÞy$ToMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÃ<[`/skbðhP3å'vÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ) = LogonGuid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ5 '=TargetLogonGuid Aÿÿ7 )=TargetServerName Aÿÿ+ = TargetInfo Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort  "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostðC:\Windows\System32\winlogon.exe127.0.0.10¨**ØprpÙÑ  «Ö& F½!1 €rpÙÑpÞy$TpMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¾User32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10Ø**ØqrpÙÑ  «Ö& F½!1 €rpÙÑpÞy$TqMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA‹¾User32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10Ø** rrpÙÑ  «Ö& F!1@ €rpÙÑpÞy$TrMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¾SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **ðsÐDpÙÑ  «Ö& FÕ!0 €ÐDpÙÑ\Reg8sMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…;K ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != PreviousTime Aÿÿ% =NewTime Aÿÿ) = ProcessId Aÿÿ- = ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPçÒvŒpÙÑÐDpÙÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeð**@t0|FpÙÑ  «Ö& F'!1 €0|FpÙÑ\Reg$TtMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    --ANONYMOUS LOGONNT AUTHORITYŽNtLmSsp NTLM-NTLM V1---@**˜u¸"‰pÙÑ  «Ö& F!1 €¸"‰pÙÑ\Reg$HuMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** v¸"‰pÙÑ  «Ö& F…!1@ €¸"‰pÙÑ\Reg$HvMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜wƒpÙÑ  «Ö& F!1 €ƒpÙÑ\Reg$HwMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** xƒpÙÑ  «Ö& F…!1@ €ƒpÙÑ\Reg$HxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **pyõîpÙÑ  «Ö& Fk!1 €õîpÙÑ$dyMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆzõîpÙÑ  «Ö& Fƒ!1@ €õîpÙÑ$dzMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**À{3½¡pÙÑ ê@Sî !gL @3½¡pÙÑL0 { T3[<À**ˆ|/6‹¡pÙÑ  «Ö& Fm!1' €/6‹¡pÙÑ\Reg$t|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Nà  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA‹¾ˆ**(}Võ™ªpÙÑ  «Ö& F!0 €Võ™ªpÙÑÀßþ48}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[(**~Võ™ªpÙÑ  «Ö& Fõ!1 €Võ™ªpÙÑÀßþ48~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç-------**@×z£ªpÙÑ  «Ö& F#!5& €×z£ªpÙÑÀßþ4hMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ»ËË@**˜€7Ü¥ªpÙÑ  «Ö& F!1 €7Ü¥ªpÙÑÀßþ4X€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--$C:\Windows\System32\services.exe--˜** 7Ü¥ªpÙÑ  «Ö& F…!1@ €7Ü¥ªpÙÑÀßþ4XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨‚Ù…¶ªpÙÑ  «Ö& F‘!1 €Ù…¶ªpÙÑÀßþ4X‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--$C:\Windows\System32\services.exe--¨**(ƒÙ…¶ªpÙÑ  «Ö& F !1@ €Ù…¶ªpÙÑÀßþ4XƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨„ú©½ªpÙÑ  «Ö& F!1 €ú©½ªpÙÑÀßþ4X„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--$C:\Windows\System32\services.exe--¨** …ú©½ªpÙÑ  «Ö& F !1@ €ú©½ªpÙÑÀßþ4X…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜†;ò˪pÙÑ  «Ö& F!1 €;ò˪pÙÑÀßþ4X†Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--$C:\Windows\System32\services.exe--˜** ‡;ò˪pÙÑ  «Ö& F…!1@ €;ò˪pÙÑÀßþ4X‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ˆœSΪpÙÑ  «Ö& F!1 €œSΪpÙÑÀßþ4XˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--$C:\Windows\System32\services.exe--˜** ‰œSΪpÙÑ  «Ö& F…!1@ €œSΪpÙÑÀßþ4X‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€Šì/«pÙÑ  «Ö& Fe!1( €ì/«pÙÑ\Reg4XŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÃ< "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10€**Ø‹ì/«pÙÑ  «Ö& F½!1 €ì/«pÙÑ\Reg4X‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA˜ÉUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10Ø**ØŒì/«pÙÑ  «Ö& F½!1 €ì/«pÙÑ\Reg4XŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÞÉUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10Ø** ì/«pÙÑ  «Ö& F!1@ €ì/«pÙÑ\Reg4XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA˜ÉSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **ŽÐ7¬«pÙÑ  «Ö& Fõ!0 €Ð7¬«pÙÑ\RegDŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…;K "dWIN-03DLIIOFRRA$WORKGROUPç¶×²«pÙÑÐ7¬«pÙÑHC:\Program Files\VMware\VMware Tools\vmtoolsd.exe**@0™®«pÙÑ  «Ö& F'!1 €0™®«pÙÑ\Reg4XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    --ANONYMOUS LOGONNT AUTHORITYˆNtLmSsp NTLM-NTLM V1---@**˜2¤Á«pÙÑ  «Ö& F!1 €2¤Á«pÙÑ\Reg4dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--$C:\Windows\System32\services.exe--˜** ‘2¤Á«pÙÑ  «Ö& F…!1@ €2¤Á«pÙÑ\Reg4d‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **p’u|B®pÙÑ  «Ö& Fk!1 €u|B®pÙÑ4˜’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--$C:\Windows\System32\services.exe--p**ˆ“u|B®pÙÑ  «Ö& Fƒ!1@ €u|B®pÙÑ4˜“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p”ÎR¯pÙÑ  «Ö& Fk!1 €ÎR¯pÙÑ4˜”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--$C:\Windows\System32\services.exe--p**ˆ•ÎR¯pÙÑ  «Ö& Fƒ!1@ €ÎR¯pÙÑ4˜•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**À–í6ˆ7rÙÑ ê@Sî !gL @í6ˆ7rÙÑH – T3[<À**ˆ—FwQ7rÙÑ  «Ö& Fm!1' €FwQ7rÙÑ\Reg4´—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Nà  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÞɈ**(˜²¬BrÙÑ  «Ö& F!0 €²¬BrÙÑÐàV$(˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[(**™g¯BrÙÑ  «Ö& Fõ!1 €g¯BrÙÑÐàV$(™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç-------**@š蘸BrÙÑ  «Ö& F#!5& €è˜¸BrÙÑÐàV$\šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ»&É@**˜›蘸BrÙÑ  «Ö& F!1 €è˜¸BrÙÑÐàV$ˆ›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** œ蘸BrÙÑ  «Ö& F…!1@ €è˜¸BrÙÑÐàV$ˆœMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨*áÆBrÙÑ  «Ö& F‘!1 €*áÆBrÙÑÐàV$HMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--øC:\Windows\System32\services.exe--¨**(ž*áÆBrÙÑ  «Ö& F !1@ €*áÆBrÙÑÐàV$HžMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨ŸKÎBrÙÑ  «Ö& F!1 €KÎBrÙÑÐàV$HŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--øC:\Windows\System32\services.exe--¨**  KÎBrÙÑ  «Ö& F !1@ €KÎBrÙÑÐàV$H Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜¡l)ÕBrÙÑ  «Ö& F!1 €l)ÕBrÙÑÐàV$X¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ¢l)ÕBrÙÑ  «Ö& F…!1@ €l)ÕBrÙÑÐàV$X¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜£,ìÙBrÙÑ  «Ö& F!1 €,ìÙBrÙÑÐàV$X£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ¤,ìÙBrÙÑ  «Ö& F…!1@ €,ìÙBrÙÑÐàV$X¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€¥w`4CrÙÑ  «Ö& Fe!1( €w`4CrÙÑÐàV$X¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÃ< "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10€**ئw`4CrÙÑ  «Ö& F½!1 €w`4CrÙÑÐàV$X¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA9ÀUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Ø**اw`4CrÙÑ  «Ö& F½!1 €w`4CrÙÑÐàV$X§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA·ÀUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Ø** ¨w`4CrÙÑ  «Ö& F!1@ €w`4CrÙÑÐàV$X¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA9ÀSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@©ÈõÇCrÙÑ  «Ö& F'!1 €ÈõÇCrÙÑ\Reg$X©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    --ANONYMOUS LOGONNT AUTHORITY¥NtLmSsp NTLM-NTLM V1---@**˜ª,mðCrÙÑ  «Ö& F!1 €,mðCrÙÑ\Reg$HªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** «,mðCrÙÑ  «Ö& F…!1@ €,mðCrÙÑ\Reg$H«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜¬¡!_ErÙÑ  «Ö& F!1 €¡!_ErÙÑ\Reg$Œ¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ­¡!_ErÙÑ  «Ö& F…!1@ €¡!_ErÙÑ\Reg$Œ­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **p®[¢GrÙÑ  «Ö& Fk!1 €[¢GrÙÑ$8®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆ¯[¢GrÙÑ  «Ö& Fƒ!1@ €[¢GrÙÑ$8¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**x°äE•rÙÑ  «Ö& Fm!1' €äE•rÙÑ$8°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÃÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA·Àx**À±©îo•rÙÑ ê@Sî !gL @©îo•rÙÑDô± T3[<À**(²£9S¡rÙÑ  «Ö& F!0 €£9S¡rÙÑpÝ«(,²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[(**³£9S¡rÙÑ  «Ö& Fõ!1 €£9S¡rÙÑpÝ«(,³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ»  --SYSTEMNT AUTHORITYç-------**@´%¿\¡rÙÑ  «Ö& F#!5& €%¿\¡rÙÑpÝ«(`´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ» É@**˜µ… _¡rÙÑ  «Ö& F!1 €… _¡rÙÑpÝ«(XµMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--˜** ¶… _¡rÙÑ  «Ö& F…!1@ €… _¡rÙÑpÝ«(X¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨·Æhm¡rÙÑ  «Ö& F‘!1 €Æhm¡rÙÑpÝ«(X·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ìC:\Windows\System32\services.exe--¨**(¸Æhm¡rÙÑ  «Ö& F !1@ €Æhm¡rÙÑpÝ«(X¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õ  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨¹‡+r¡rÙÑ  «Ö& F!1 €‡+r¡rÙÑpÝ«(X¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ» " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ìC:\Windows\System32\services.exe--¨  «Ö& F1@ €‡+r¡rÙÑpÝ«(XºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«õElfChnkºº€8üHþ5±Aõ<<ðóè=DBÎ÷²›fB?øAA©MFºž>&k kJìAsDë¸ G**Pº‡+r¡rÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F‰!1@ €‡+r¡rÙÑpÝ«(XºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É®x«C‚Å“Â-žhÿÿ\ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeNaP**0»¨Oy¡rÙÑ  «Ö& F!1 €¨Oy¡rÙÑpÝ«(X»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk Éï:ÚÁ¹öǬr›fË8(~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--Dri0** ¼¨Oy¡rÙÑ  «Ö& F…!1@ €¨Oy¡rÙÑpÝ«(X¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege  **˜½±{¡rÙÑ  «Ö& F!1 €±{¡rÙÑpÝ«(½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--˜** ¾±{¡rÙÑ  «Ö& F…!1@ €±{¡rÙÑpÝ«(¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegey Ý **¨¿±{Å¡rÙÑ  «Ö& F‘!1( €±{Å¡rÙÑpÝ«(\¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sks`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10R¨**ØÀ±{Å¡rÙÑ  «Ö& F½!1 €±{Å¡rÙÑpÝ«(\ÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA©¶User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10 Ø**ØÁ±{Å¡rÙÑ  «Ö& F½!1 €±{Å¡rÙÑpÝ«(\ÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA·User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10uriØ** ±{Å¡rÙÑ  «Ö& F!1@ €±{Å¡rÙÑpÝ«(\ÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA©¶SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeSe **@Ã?CA¢rÙÑ  «Ö& F'!1 €?CA¢rÙÑ\Reg(\ÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     --ANONYMOUS LOGONNT AUTHORITY–NtLmSsp NTLM-NTLM V1---$@**˜ÄÂÓ]¢rÙÑ  «Ö& F!1 €ÂÓ]¢rÙÑ\Reg(ŒÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--gn˜** ÅÂÓ]¢rÙÑ  «Ö& F…!1@ €ÂÓ]¢rÙÑ\Reg(ŒÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege! **˜ÆÌ.g£rÙÑ  «Ö& F!1 €Ì.g£rÙÑ\Reg(àÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--Pr˜** ÇÌ.g£rÙÑ  «Ö& F…!1@ €Ì.g£rÙÑ\Reg(àÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege! **pÈhHæ¥rÙÑ  «Ö& Fk!1 €hHæ¥rÙÑ(XÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--ip**ˆÉhHæ¥rÙÑ  «Ö& Fƒ!1@ €hHæ¥rÙÑ(XÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegenˆ**àÊ,B=ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $AAm5DUserData! u!gL @,B=B«'ServiceShutdown FDBNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜Ë§¦ ;(à Security -{NsD-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA·˜**PÌ&J²GsÙÑ  «Ö& F9!0 €&J²GsÙÑðÞn $ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî GsÝ&ÎîË|Ö Žp)·cîÿÿðP**Í&J²GsÙÑ  «Ö& Fõ!1 €&J²GsÙÑðÞn $ÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk   --SYSTEMNT AUTHORITYç------- S**ÈΧϻGsÙÑ  «Ö& F¯!5& €§Ï»GsÙÑðÞn TÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇkJºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId IÉ%–„È**˜Ï1¾GsÙÑ  «Ö& F!1 €1¾GsÙÑðÞn PÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--ro˜** Ð1¾GsÙÑ  «Ö& F…!1@ €1¾GsÙÑðÞn PÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege”I¥º> **¨ÑIyÌGsÙÑ  «Ö& F‘!1 €IyÌGsÙÑðÞn PÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ôC:\Windows\System32\services.exe--i¨**(ÒIyÌGsÙÑ  «Ö& F !1@ €IyÌGsÙÑðÞn PÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegetem(**¨Ó <ÑGsÙÑ  «Ö& F!1 € <ÑGsÙÑðÞn PÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ôC:\Windows\System32\services.exe--¨** Ô <ÑGsÙÑ  «Ö& F !1@ € <ÑGsÙÑðÞn PÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegev **˜Õ+`ØGsÙÑ  «Ö& F!1 €+`ØGsÙÑðÞn DÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--s-˜** Ö+`ØGsÙÑ  «Ö& F…!1@ €+`ØGsÙÑðÞn DÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeege **˜×‹ÁÚGsÙÑ  «Ö& F!1 €‹ÁÚGsÙÑðÞn D×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--˜** Ø‹ÁÚGsÙÑ  «Ö& F…!1@ €‹ÁÚGsÙÑðÞn DØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€ÙôN)HsÙÑ  «Ö& Fe!1( €ôN)HsÙÑðÞn DÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sks "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10€**ØÚôN)HsÙÑ  «Ö& F½!1 €ôN)HsÙÑðÞn DÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAƒ«User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.104Ø**ØÛôN)HsÙÑ  «Ö& F½!1 €ôN)HsÙÑðÞn DÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAû«User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10perØ** ÜôN)HsÙÑ  «Ö& F!1@ €ôN)HsÙÑðÞn DÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAƒ«SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@ÝÄ^³HsÙÑ  «Ö& F'!1 €Ä^³HsÙÑ\Reg PÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     --ANONYMOUS LOGONNT AUTHORITYבNtLmSsp NTLM-NTLM V1---F@**˜Þ‰7ÞHsÙÑ  «Ö& F!1 €‰7ÞHsÙÑ\Reg ÄÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--˜** ß‰7ÞHsÙÑ  «Ö& F…!1@ €‰7ÞHsÙÑ\Reg ÄßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeMN **˜à´bcJsÙÑ  «Ö& F!1 €´bcJsÙÑ\Reg DàMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe-- ˜** á´bcJsÙÑ  «Ö& F…!1@ €´bcJsÙÑ\Reg DáMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeMN **pâC NLsÙÑ  «Ö& Fk!1 €C NLsÙÑ PâMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe-- p**ˆãC NLsÙÑ  «Ö& Fƒ!1@ €C NLsÙÑ PãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeUˆ**xäû8fvÙÑ  «Ö& Fm!1' €û8fvÙÑ 4äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NsDÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAû««pÙÑx**ÀåÀ‘vÙÑ ê@Sž> !gL @À‘vÙÑ8˜ å T3[ìA À**(æ%Å[ vÙÑ  «Ö& F!0 €%Å[ vÙÑÞgæMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî GC(**ç%Å[ vÙÑ  «Ö& Fõ!1 €%Å[ vÙÑÞgçMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk   --SYSTEMNT AUTHORITYç-------ROU**@è¬g vÙÑ  «Ö& F#!5& €¬g vÙÑÞg\èMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇkJÕÈì/«@**˜éf j vÙÑ  «Ö& F!1 €f j vÙÑÞgTéMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ys˜** êf j vÙÑ  «Ö& F…!1@ €f j vÙÑÞgTêMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege» **¨ë¨Ux vÙÑ  «Ö& F‘!1 €¨Ux vÙÑÞgTëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--0¨**(ì¨Ux vÙÑ  «Ö& F !1@ €¨Ux vÙÑÞgTìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegey ®(**¨íi} vÙÑ  «Ö& F!1 €i} vÙÑÞgTíMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--¨** îi} vÙÑ  «Ö& F !1@ €i} vÙÑÞgTîMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeS **˜ïŠ<„ vÙÑ  «Ö& F!1 €Š<„ vÙÑÞgPïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe-- ˜** ðŠ<„ vÙÑ  «Ö& F…!1@ €Š<„ vÙÑÞgPðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege• **˜ñê† vÙÑ  «Ö& F!1 €ê† vÙÑÞgPñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--eP˜** òê† vÙÑ  «Ö& F…!1@ €ê† vÙÑÞgPòMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege! **€óS+Õ vÙÑ  «Ö& Fe!1( €S+Õ vÙÑÞgPóMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sks "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10-€**ØôS+Õ vÙÑ  «Ö& F½!1 €S+Õ vÙÑÞgPôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAŸ»User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10Ø**ØõS+Õ vÙÑ  «Ö& F½!1 €S+Õ vÙÑÞgPõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAA¼User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10okeØ** öS+Õ vÙÑ  «Ö& F!1@ €S+Õ vÙÑÞgPöMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAŸ»SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegety ï **@÷ƒœa vÙÑ  «Ö& F'!1 €ƒœa vÙÑ\RegD÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     --ANONYMOUS LOGONNT AUTHORITY¨‡NtLmSsp NTLM-NTLM V1---M@**ðøB_ vÙÑ  «Ö& FÕ!0 €B_ vÙÑ\Reg0øMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ë¸ ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPç…§t vÙÑB_ vÙÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exetemð**˜ù3qy vÙÑ  «Ö& F!1 €3qy vÙÑ\RegPùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ú3qy vÙÑ  «Ö& F…!1@ €3qy vÙÑ\RegPúMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeEM **pû”ÜkvÙÑ  «Ö& Fk!1 €”ÜkvÙÑ ûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆü”ÜkvÙÑ  «Ö& Fƒ!1@ €”ÜkvÙÑ üMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeiˆ**pýºÔ vÙÑ  «Ö& Fk!1 €ºÔ vÙÑDýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ap**ˆþºÔ vÙÑ  «Ö& Fƒ!1@ €ºÔ vÙÑDþMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeuˆ**Àÿ Pµ[vÙÑ ê@Sž> !gL @ Pµ[vÙÑ4 ÿ T3[ìAWORKÀ**ˆŸ_[vÙÑ  «Ö& Fm!1' €Ÿ_[vÙÑ\RegDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NsD  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAA¼ˆ**(itgvÙÑ  «Ö& F!0 €itgvÙÑ }ÿ?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî GW(**itgvÙÑ  «Ö& Fõ!1 €itgvÙÑ }ÿ?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk   --SYSTEMNT AUTHORITYç-------cro**@êùgvÙÑ  «Ö& F#!5& €êùgvÙÑ }ÿ?\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇkJgÉeLoa@**˜K["gvÙÑ  «Ö& F!1 €K["gvÙÑ }ÿ?XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜** K["gvÙÑ  «Ö& F…!1@ €K["gvÙÑ }ÿ?XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨ì3gvÙÑ  «Ö& F‘!1 €ì3gvÙÑ }ÿ?XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--èC:\Windows\System32\services.exe--u¨**(ì3gvÙÑ  «Ö& F !1@ €ì3gvÙÑ }ÿ?XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeB(**¨ ):gvÙÑ  «Ö& F!1 € ):gvÙÑ }ÿ?XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--èC:\Windows\System32\services.exe--SeA¨**   ):gvÙÑ  «Ö& F !1@ € ):gvÙÑ }ÿ?X Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ Ž®CgvÙÑ  «Ö& F!1 €Ž®CgvÙÑ }ÿ?Œ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜**  Ž®CgvÙÑ  «Ö& F…!1@ €Ž®CgvÙÑ }ÿ?Œ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ ¯ÒJgvÙÑ  «Ö& F!1 €¯ÒJgvÙÑ }ÿ?Œ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜**  ¯ÒJgvÙÑ  «Ö& F…!1@ €¯ÒJgvÙÑ }ÿ?Œ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege”I¥º> **€Ý8ÄgvÙÑ  «Ö& Fe!1( €Ý8ÄgvÙÑ\RegXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sks "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10€**ØÝ8ÄgvÙÑ  «Ö& F½!1 €Ý8ÄgvÙÑ\RegXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¾ÄUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10SeBØ**ØÝ8ÄgvÙÑ  «Ö& F½!1 €Ý8ÄgvÙÑ\RegXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÅUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10çØ** Ý8ÄgvÙÑ  «Ö& F!1@ €Ý8ÄgvÙÑ\RegXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¾ÄSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege** **à$hvÙÑ  «Ö& Fõ!0 €à$hvÙÑ\Reg0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ë¸ "dWIN-03DLIIOFRRA$WORKGROUPçÌaBhvÙÑà$hvÙÑüC:\Program Files\VMware\VMware Tools\vmtoolsd.exepi Negotiate  «Ö& Fes1 €@|&hvÙÑ\RegMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁk     -Auditing%–„TxT”I¥º>;(à Security ®x«õElfChnknn€HþˆÿéеÂ&yòðóè=|'Î÷²›fK'?øy&©MFºÖ#&c -$'5"ÞK**° @|&hvÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! Fë!1 €@|&hvÙÑ\RegMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉï:ÚÁ¹öǬr›fË8(¬ÿÿ ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort     --ANONYMOUS LOGONNT AUTHORITYQzNtLmSsp NTLM-NTLM V1---=° **˜c«@hvÙÑ  «Ö& F!1 €c«@hvÙÑ\RegLMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜**ðc«@hvÙÑ  «Ö& F×!1@ €c«@hvÙÑ\RegLMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«cÉ®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege±{¡ð**p÷\ivÙÑ  «Ö& Fk!1 €÷\ivÙÑ`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--ep**ˆ÷\ivÙÑ  «Ö& Fƒ!1@ €÷\ivÙÑ`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegerˆ**púlvÙÑ  «Ö& Fk!1 €úlvÙÑ`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--=p**ˆúlvÙÑ  «Ö& Fƒ!1@ €úlvÙÑ`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆµ‡¿ÀvÙÑ  «Ö& F!1' €µ‡¿ÀvÙÑ`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N5"-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÅon.ˆ**àŸšÁvÙÑ ê@SÖ#ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $y&m5DUserData! u!gL @ŸšÁvÙÑP¼ T3[$'T3[ÓˆY}É*ë•ÄlJAÿÿ>K'«'ServiceShutdown F|'Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**PÈ×ûÌvÙÑ  «Ö& F9!0 €È×ûÌvÙÑàß> $Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî«)Ý&ÎîË|Ö Žp)·cîÿÿðP**È×ûÌvÙÑ  «Ö& Fõ!1 €È×ûÌvÙÑàß> $Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç------- V1**ÈI]ÍvÙÑ  «Ö& F¯!5& €I]ÍvÙÑàß> TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ -ºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId †ÉRKÈ**˜ª¾ÍvÙÑ  «Ö& F!1 €ª¾ÍvÙÑàß> „Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--le˜**  ª¾ÍvÙÑ  «Ö& F…!1@ €ª¾ÍvÙÑàß> „ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeORK **¨!ëÍvÙÑ  «Ö& F‘!1 €ëÍvÙÑàß> D!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--S¨**("ëÍvÙÑ  «Ö& F !1@ €ëÍvÙÑàß> D"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨#¬ÉÍvÙÑ  «Ö& F!1 €¬ÉÍvÙÑàß> D#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--!¨** $¬ÉÍvÙÑ  «Ö& F !1@ €¬ÉÍvÙÑàß> D$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegee **˜%Íí!ÍvÙÑ  «Ö& F!1 €Íí!ÍvÙÑàß> X%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** &Íí!ÍvÙÑ  «Ö& F…!1@ €Íí!ÍvÙÑàß> X&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeF **˜'-O$ÍvÙÑ  «Ö& F!1 €-O$ÍvÙÑàß> „'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--F˜** (-O$ÍvÙÑ  «Ö& F…!1@ €-O$ÍvÙÑàß> „(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeΠ**¨)ÕnÍvÙÑ  «Ö& F‘!1( €ÕnÍvÙÑàß> |)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skK«)`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10y¨**Ø*ÕnÍvÙÑ  «Ö& F½!1 €ÕnÍvÙÑàß> |*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA2¾User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10 "Ø**Ø+ÕnÍvÙÑ  «Ö& F½!1 €ÕnÍvÙÑàß> |+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA–¾User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10SERØ** ,ÕnÍvÙÑ  «Ö& F!1@ €ÕnÍvÙÑàß> |,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA2¾SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeô **@-€çÍvÙÑ  «Ö& F'!1 €€çÍvÙÑ\Reg |-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITYňNtLmSsp NTLM-NTLM V1--- @**˜.çqÎvÙÑ  «Ö& F!1 €çqÎvÙÑ\Reg |.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--\S˜** /çqÎvÙÑ  «Ö& F…!1@ €çqÎvÙÑ\Reg |/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege  **˜0`ã ÏvÙÑ  «Ö& F!1 €`ã ÏvÙÑ\Reg |0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--\S˜** 1`ã ÏvÙÑ  «Ö& F…!1@ €`ã ÏvÙÑ\Reg |1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege  **p2ýº”ÑvÙÑ  «Ö& Fk!1 €ýº”ÑvÙÑ |2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--yp**ˆ3ýº”ÑvÙÑ  «Ö& Fƒ!1@ €ýº”ÑvÙÑ |3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**À4v²ÙzxÙÑ ê@SÖ# !gL @v²ÙzxÙÑ<¨4 T3[$' "À**ˆ5Qx¬zxÙÑ  «Ö& Fm!1' €Qx¬zxÙÑ\Reg 45Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N5"  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA–¾on.ˆ**(6ªÈ†xÙÑ  «Ö& F!0 €ªÈ†xÙÑI‡@d 6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî«)¥º>(**7ªÈ†xÙÑ  «Ö& Fõ!1 €ªÈ†xÙÑI‡@d 7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------ile**@8+N$†xÙÑ  «Ö& F#!5& €+N$†xÙÑI‡@dP8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ -uÉ@**˜9‹¯&†xÙÑ  «Ö& F!1 €‹¯&†xÙÑI‡@dL9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe---0˜** :‹¯&†xÙÑ  «Ö& F…!1@ €‹¯&†xÙÑI‡@dL:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegePri **¨;Í÷4†xÙÑ  «Ö& F‘!1 €Í÷4†xÙÑI‡@dL;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ôC:\Windows\System32\services.exe--R¨**(<Í÷4†xÙÑ  «Ö& F !1@ €Í÷4†xÙÑI‡@dL<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege (**¨=º9†xÙÑ  «Ö& F!1 €º9†xÙÑI‡@dL=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ôC:\Windows\System32\services.exe--¨** >º9†xÙÑ  «Ö& F !1@ €º9†xÙÑI‡@dL>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege\ **˜?®Þ@†xÙÑ  «Ö& F!1 €®Þ@†xÙÑI‡@dL?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--up˜** @®Þ@†xÙÑ  «Ö& F…!1@ €®Þ@†xÙÑI‡@dL@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜A@C†xÙÑ  «Ö& F!1 €@C†xÙÑI‡@dLAMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--˜** B@C†xÙÑ  «Ö& F…!1@ €@C†xÙÑI‡@dLBMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegegot **€Cl†xÙÑ  «Ö& Fe!1( €l†xÙÑI‡@dLCMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skK "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10leg€**ØDl†xÙÑ  «Ö& F½!1 €l†xÙÑI‡@dLDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¸¹User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10  Ø**ØEl†xÙÑ  «Ö& F½!1 €l†xÙÑI‡@dLEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRANºUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10NT Ø** Fl†xÙÑ  «Ö& F!1@ €l†xÙÑI‡@dLFMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¸¹SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege:\Wi **@Gåp‡xÙÑ  «Ö& F'!1 €åp‡xÙÑ\Reg@GMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITYÉŒNtLmSsp NTLM-NTLM V1---mp@**ðH ÷¾†xÙÑ  «Ö& FÕ!0 € ÷¾†xÙÑ\Reg<HMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Þ ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPçåp‡xÙÑ ÷¾†xÙÑüC:\Program Files\VMware\VMware Tools\vmtoolsd.exeð**˜I$ å†xÙÑ  «Ö& F!1 €$ å†xÙÑ\RegpIMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--Ö&˜** J$ å†xÙÑ  «Ö& F…!1@ €$ å†xÙÑ\RegpJMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **pKLuˆxÙÑ  «Ö& Fk!1 €LuˆxÙÑ@KMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--p**ˆLLuˆxÙÑ  «Ö& Fƒ!1@ €LuˆxÙÑ@LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**pMûoŠxÙÑ  «Ö& Fk!1 €ûoŠxÙÑ@MMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ôC:\Windows\System32\services.exe--p**ˆNûoŠxÙÑ  «Ö& Fƒ!1@ €ûoŠxÙÑ@NMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeèˆ**ÀOügºxÙÑ ê@SÖ# !gL @ügºxÙÑ8´O T3[$'riviÀ**ˆP“Ú·¹xÙÑ  «Ö& Fm!1' €“Ú·¹xÙÑ\RegTPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N5"  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRANº!ˆ**(Q¢ ŸÅxÙÑ  «Ö& F!0 €¢ ŸÅxÙÑ\ðnsQMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî«)NO(**R¢ ŸÅxÙÑ  «Ö& Fõ!1 €¢ ŸÅxÙÑ\ðnsRMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------tUs**@SƒðªÅxÙÑ  «Ö& F#!5& €ƒðªÅxÙÑ\ðnsTSMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ -ÝÈ= @**˜TäQ­ÅxÙÑ  «Ö& F!1 €äQ­ÅxÙÑ\ðns€TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** UäQ­ÅxÙÑ  «Ö& F…!1@ €äQ­ÅxÙÑ\ðns€UMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeerP **¨V%š»ÅxÙÑ  «Ö& F‘!1 €%š»ÅxÙÑ\ðnsPVMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--¨**(W%š»ÅxÙÑ  «Ö& F !1@ €%š»ÅxÙÑ\ðnsPWMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨XF¾ÂÅxÙÑ  «Ö& F!1 €F¾ÂÅxÙÑ\ðns€XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--¨** YF¾ÂÅxÙÑ  «Ö& F !1@ €F¾ÂÅxÙÑ\ðns€YMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivileges **˜ZÇÅxÙÑ  «Ö& F!1 €ÇÅxÙÑ\ðnsDZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--eg˜** [ÇÅxÙÑ  «Ö& F…!1@ €ÇÅxÙÑ\ðnsD[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜\gâÉÅxÙÑ  «Ö& F!1 €gâÉÅxÙÑ\ðnsP\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ]gâÉÅxÙÑ  «Ö& F…!1@ €gâÉÅxÙÑ\ðnsP]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegegot **€^0ÑÆxÙÑ  «Ö& Fe!1( €0ÑÆxÙÑ\ðnsD^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skK "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10leg€**Ø_0ÑÆxÙÑ  «Ö& F½!1 €0ÑÆxÙÑ\ðnsD_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAºÂUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10  Ø**Ø`0ÑÆxÙÑ  «Ö& F½!1 €0ÑÆxÙÑ\ðnsD`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA@ÃUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10NT Ø** a0ÑÆxÙÑ  «Ö& F!1@ €0ÑÆxÙÑ\ðnsDaMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAºÂSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege:\Wi **@b=ÆxÙÑ  «Ö& F'!1 €=ÆxÙÑ\Reg€bMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITY*‰NtLmSsp NTLM-NTLM V1---mp@**c`ØlÆxÙÑ  «Ö& Fõ!0 €`ØlÆxÙÑ\RegDcMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Þ "dWIN-03DLIIOFRRA$WORKGROUPç=ÆxÙÑ`ØlÆxÙÑ C:\Program Files\VMware\VMware Tools\vmtoolsd.exeHOR**˜dcãÆxÙÑ  «Ö& F!1 €cãÆxÙÑ\RegPdMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--cu˜** ecãÆxÙÑ  «Ö& F…!1@ €cãÆxÙÑ\RegPeMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeHOR **˜f)ݱÇxÙÑ  «Ö& F!1 €)ݱÇxÙÑ\RegPfMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--cu˜** g)ݱÇxÙÑ  «Ö& F…!1@ €)ݱÇxÙÑ\RegPgMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **ph"âÊxÙÑ  «Ö& Fk!1 €"âÊxÙÑPhMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆi"âÊxÙÑ  «Ö& Fƒ!1@ €"âÊxÙÑPiMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«c  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegewˆ**ÀjÔDyÙÑ ê@SÖ# !gL @ÔDyÙÑ4àj T3[$'À**ˆkáÌ“DyÙÑ  «Ö& Fm!1' €áÌ“DyÙÑ\Reg€kMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N5"  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA@ÃLoaˆ**(lG>­PyÙÑ  «Ö& F!0 €G>­PyÙÑðállMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî«)*(**mG>­PyÙÑ  «Ö& Fõ!1 €G>­PyÙÑðálmMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------pi **@n)%¹PyÙÑ  «Ö& F#!5& €)%¹PyÙÑðálTnMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ -—É@ -Auditing%–„TxT”I¥º>;(à Security ®x«õElfChnkoÇoÇ€°úPþÓ…# ¢Üðóè=$VÎ÷²›fóU?ø!U©MFº~R&#³[ÌUÝPÓ:SX** o‰†»PyÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! FC!1 €‰†»PyÙÑðál„oMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉï:ÚÁ¹öǬr›fË8(¬ÿÿ ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe-- **ðp‰†»PyÙÑ  «Ö& F×!1@ €‰†»PyÙÑðál„pMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#É®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeTHð**¨qËÎÉPyÙÑ  «Ö& F‘!1 €ËÎÉPyÙÑðál„qMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--¨**(rËÎÉPyÙÑ  «Ö& F !1@ €ËÎÉPyÙÑðál„rMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨s‹‘ÎPyÙÑ  «Ö& F!1 €‹‘ÎPyÙÑðál„sMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--SeD¨** t‹‘ÎPyÙÑ  «Ö& F !1@ €‹‘ÎPyÙÑðál„tMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜u¬µÕPyÙÑ  «Ö& F!1 €¬µÕPyÙÑðál„uMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--en˜** v¬µÕPyÙÑ  «Ö& F…!1@ €¬µÕPyÙÑðál„vMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegerNa **˜w ØPyÙÑ  «Ö& F!1 € ØPyÙÑðál„wMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--÷˜** x ØPyÙÑ  «Ö& F…!1@ € ØPyÙÑðál„xMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨y6g+QyÙÑ  «Ö& F‘!1( €6g+QyÙÑðál„yMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk*`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10i¨**Øz6g+QyÙÑ  «Ö& F½!1 €6g+QyÙÑðál„zMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA©µUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10Ø**Ø{6g+QyÙÑ  «Ö& F½!1 €6g+QyÙÑðál„{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¶User32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10FØ** |6g+QyÙÑ  «Ö& F!1@ €6g+QyÙÑðál„|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA©µSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeurit **@}&›¼QyÙÑ  «Ö& F'!1 €&›¼QyÙÑ\Reg€}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITY¸†NtLmSsp NTLM-NTLM V1---%–„@**ð~0¯²QyÙÑ  «Ö& FÕ!0 €0¯²QyÙÑ\Reg<~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Ó: ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPçjîÝQyÙÑ0¯²QyÙÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeð**˜–¾QyÙÑ  «Ö& F!1 €–¾QyÙÑ\RegPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** €–¾QyÙÑ  «Ö& F…!1@ €–¾QyÙÑ\RegP€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **p'ÇÙSyÙÑ  «Ö& Fk!1 €'ÇÙSyÙÑPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe---p**ˆ‚'ÇÙSyÙÑ  «Ö& Fƒ!1@ €'ÇÙSyÙÑP‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeaˆ**pƒ‹ÔSUyÙÑ  «Ö& Fk!1 €‹ÔSUyÙÑPƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--Lp**ˆ„‹ÔSUyÙÑ  «Ö& Fƒ!1@ €‹ÔSUyÙÑP„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆ…H.€yÙÑ  «Ö& F!1' €H.€yÙÑô…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÝP-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¶xeˆ**à†mR[€yÙÑ ê@S~Rê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $!Um5DUserData! u!gL @mR[€yÙÑ8¼† T3[ÌUT3[ÓˆY}É*ë•ÄlJAÿÿ>óU«'ServiceShutdown F$VNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**P‡f!<ŒyÙÑ  «Ö& F9!0 €f!<ŒyÙÑ Üÿ,0‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîSX*Ý&ÎîË|Ö Žp)·cîÿÿðÍP**ˆf!<ŒyÙÑ  «Ö& Fõ!1 €f!<ŒyÙÑ Üÿ,0ˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------**ȉç¦EŒyÙÑ  «Ö& F¯!5& €ç¦EŒyÙÑ Üÿ,d‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìdz[ºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId ìÈOUÈ**˜Šç¦EŒyÙÑ  «Ö& F!1 €ç¦EŒyÙÑ Üÿ,\ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ðC:\Windows\System32\services.exe-- ˜** ‹ç¦EŒyÙÑ  «Ö& F…!1@ €ç¦EŒyÙÑ Üÿ,\‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeROU **¨Œ(ïSŒyÙÑ  «Ö& F‘!1 €(ïSŒyÙÑ Üÿ,€ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ðC:\Windows\System32\services.exe--b¨**((ïSŒyÙÑ  «Ö& F !1@ €(ïSŒyÙÑ Üÿ,€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨ŽI[ŒyÙÑ  «Ö& F!1 €I[ŒyÙÑ Üÿ,€ŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ðC:\Windows\System32\services.exe--¨** I[ŒyÙÑ  «Ö& F !1@ €I[ŒyÙÑ Üÿ,€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivileget **˜j7bŒyÙÑ  «Ö& F!1 €j7bŒyÙÑ Üÿ,PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ðC:\Windows\System32\services.exe--ti˜** ‘j7bŒyÙÑ  «Ö& F…!1@ €j7bŒyÙÑ Üÿ,P‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜’j7bŒyÙÑ  «Ö& F!1 €j7bŒyÙÑ Üÿ,P’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ðC:\Windows\System32\services.exe--"˜** “j7bŒyÙÑ  «Ö& F…!1@ €j7bŒyÙÑ Üÿ,P“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegePri **€”¬ŒyÙÑ  «Ö& Fe!1( €¬ŒyÙÑ Üÿ,\”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk* "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10uri€**Ø•¬ŒyÙÑ  «Ö& F½!1 €¬ŒyÙÑ Üÿ,\•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAž³User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Ø**Ø–¬ŒyÙÑ  «Ö& F½!1 €¬ŒyÙÑ Üÿ,\–Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA´User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10AUTØ** —¬ŒyÙÑ  «Ö& F!1@ €¬ŒyÙÑ Üÿ,\—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAž³SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@˜Âí.yÙÑ  «Ö& F'!1 €Âí.yÙÑ\Reg,€˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITY‘NtLmSsp NTLM-NTLM V1---xe@**˜™„»FyÙÑ  «Ö& F!1 €„»FyÙÑ\Reg, ™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ðC:\Windows\System32\services.exe--ku˜** š„»FyÙÑ  «Ö& F…!1@ €„»FyÙÑ\Reg, šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeexe **˜›µ­ŽyÙÑ  «Ö& F!1 €µ­ŽyÙÑ\Reg,€›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ðC:\Windows\System32\services.exe--ku˜** œµ­ŽyÙÑ  «Ö& F…!1@ €µ­ŽyÙÑ\Reg,€œMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege** **p)ã×yÙÑ  «Ö& Fk!1 €)ã×yÙÑ,PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ðC:\Windows\System32\services.exe--Cp**ˆž)ã×yÙÑ  «Ö& Fƒ!1@ €)ã×yÙÑ,PžMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ÀŸ@uOzÙÑ ê@S~R !gL @@uOzÙÑL Ÿ T3[ÌUcuriÀ**ˆ ºÙÕNzÙÑ  «Ö& Fm!1' €ºÙÕNzÙÑ\Reg,\ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÝP  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA´ileˆ**(¡Mˆ¯{ÙÑ  «Ö& F!0 €Mˆ¯{ÙÑâl°!x $¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîSX(**¢Mˆ¯{ÙÑ  «Ö& Fõ!1 €Mˆ¯{ÙÑâl°!x $¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------**@£Î ¹{ÙÑ  «Ö& F#!5& €Î ¹{ÙÑâl°!x T£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìdz[)ÉserN@**˜¤.o»{ÙÑ  «Ö& F!1 €.o»{ÙÑâl°!x x¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ¥.o»{ÙÑ  «Ö& F…!1@ €.o»{ÙÑâl°!x x¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeTHO **¨¦0zÎ{ÙÑ  «Ö& F‘!1 €0zÎ{ÙÑâl°!x x¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--¨**(§0zÎ{ÙÑ  «Ö& F !1@ €0zÎ{ÙÑâl°!x x§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨¨QžÕ{ÙÑ  «Ö& F!1 €QžÕ{ÙÑâl°!x P¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--SeD¨** ©QžÕ{ÙÑ  «Ö& F !1@ €QžÕ{ÙÑâl°!x P©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ªrÂÜ{ÙÑ  «Ö& F!1 €rÂÜ{ÙÑâl°!x xªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--en˜** «rÂÜ{ÙÑ  «Ö& F…!1@ €rÂÜ{ÙÑâl°!x x«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegerit **˜¬2…á{ÙÑ  «Ö& F!1 €2…á{ÙÑâl°!x x¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--in˜** ­2…á{ÙÑ  «Ö& F…!1@ €2…á{ÙÑâl°!x x­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegey ï **€®ÁL]{ÙÑ  «Ö& Fe!1( €ÁL]{ÙÑ\Reg x®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk* "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10”I¥º>€**دÁL]{ÙÑ  «Ö& F½!1 €ÁL]{ÙÑ\Reg x¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¼ðUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Ø**Ø°ÁL]{ÙÑ  «Ö& F½!1 €ÁL]{ÙÑ\Reg x°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAŠñUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10FØ** ±ÁL]{ÙÑ  «Ö& F!1@ €ÁL]{ÙÑ\Reg x±Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¼ðSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@²è‘{ÙÑ  «Ö& F'!1 €è‘{ÙÑ\Reg x²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITYóZNtLmSsp NTLM-NTLM V1---%–„@**˜³×Ý{ÙÑ  «Ö& F!1 €×Ý{ÙÑ\Reg X³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ´×Ý{ÙÑ  «Ö& F…!1@ €×Ý{ÙÑ\Reg X´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege  **pµÝÁ6{ÙÑ  «Ö& Fk!1 €ÝÁ6{ÙÑ xµMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆ¶ÝÁ6{ÙÑ  «Ö& Fƒ!1@ €ÝÁ6{ÙÑ x¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**p·½ßü{ÙÑ  «Ö& Fk!1 €½ßü{ÙÑ x·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ep**ˆ¸½ßü{ÙÑ  «Ö& Fƒ!1@ €½ßü{ÙÑ x¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeUˆ**À¹xO­x{ÙÑ ê@S~R !gL @xO­x{ÙÑ<t ¹ T3[ÌU10À**ˆºP mx{ÙÑ  «Ö& Fm!1' €P mx{ÙÑ\Reg PºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÝP  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAŠñWˆ**(»ð*k‹{ÙÑ  «Ö& F!0 €ð*k‹{ÙÑ`âf $»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîSXlo(**¼ð*k‹{ÙÑ  «Ö& Fõ!1 €ð*k‹{ÙÑ`âf $¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------ile**@½2sy‹{ÙÑ  «Ö& F#!5& €2sy‹{ÙÑ`âf T½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìdz[É:\Wi@**˜¾ò5~‹{ÙÑ  «Ö& F!1 €ò5~‹{ÙÑ`âf P¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ¿ò5~‹{ÙÑ  «Ö& F…!1@ €ò5~‹{ÙÑ`âf P¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeHOR **¨ÀU¢“‹{ÙÑ  «Ö& F‘!1 €U¢“‹{ÙÑ`âf PÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--v¨**(ÁU¢“‹{ÙÑ  «Ö& F !1@ €U¢“‹{ÙÑ`âf PÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨ÂvÆš‹{ÙÑ  «Ö& F!1 €vÆš‹{ÙÑ`âf PÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--ÙѨ** ÃvÆš‹{ÙÑ  «Ö& F !1@ €vÆš‹{ÙÑ`âf PÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivileges **˜ÄW­¦‹{ÙÑ  «Ö& F!1 €W­¦‹{ÙÑ`âf PÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ÅW­¦‹{ÙÑ  «Ö& F…!1@ €W­¦‹{ÙÑ`âf PÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeriv **˜Æp«‹{ÙÑ  «Ö& F!1 €p«‹{ÙÑ`âf XÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe-- ˜** Çp«‹{ÙÑ  «Ö& F…!1@ €p«‹{ÙÑ`âf XÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege** n)%¹PyÙÑ  «  «Ö& F&1( €‡3Œ{ÙÑ\Reg €ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk* "  B-Auditing%–„TxT”I¥º>;(à Security ®x«õElfChnkÈ"È"€Hýàÿl¾49VU’ðóè=,:Î÷²›fû9?ø)9©MFº†6&ëµE”Ô9å4›[<õ…**ˆ ȇ3Œ{ÙÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F¿!1( €‡3Œ{ÙÑ\Reg €ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÉ`/skbðhP3å'vBÿÿ6ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10ortˆ **pɇ3Œ{ÙÑ  «Ö& FS!1 €‡3Œ{ÙÑ\Reg €ÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£ ï:ÚÁ¹öǬr›fË8(~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÁãUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10xT”I¥º>p**Øʇ3Œ{ÙÑ  «Ö& F½!1 €‡3Œ{ÙÑ\Reg €ÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA6äUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Ø**pˇ3Œ{ÙÑ  «Ö& FU!1@ €‡3Œ{ÙÑ\Reg €ËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë£ ®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList   ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÁãSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeowsp**@̱n†Œ{ÙÑ  «Ö& F'!1 €±n†Œ{ÙÑ\Reg €ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     --ANONYMOUS LOGONNT AUTHORITY&jNtLmSsp NTLM-NTLM V1---ti@**ðÍ0þ]Œ{ÙÑ  «Ö& FÕ!0 €0þ]Œ{ÙÑ\RegDÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…› ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPçS—Œ{ÙÑ0þ]Œ{ÙÑpC:\Program Files\VMware\VMware Tools\vmtoolsd.exe Sð**˜ÎòËuŒ{ÙÑ  «Ö& F!1 €òËuŒ{ÙÑ\Reg xÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ÏòËuŒ{ÙÑ  «Ö& F…!1@ €òËuŒ{ÙÑ\Reg xÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege S **˜ÐØÄž{ÙÑ  «Ö& F!1 €ØÄž{ÙÑ\Reg €ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ÿ˜** ÑØÄž{ÙÑ  «Ö& F…!1@ €ØÄž{ÙÑ\Reg €ÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **pÒ»¨x{ÙÑ  «Ö& Fk!1 €»¨x{ÙÑ PÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--Kp**ˆÓ»¨x{ÙÑ  «Ö& Fƒ!1@ €»¨x{ÙÑ PÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆÔ—‘×{ÙÑ  «Ö& F!1' €—‘×{ÙÑ PÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Nå4-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA6äerPˆ**àÕ²ò×{ÙÑ ê@S†6ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $)9m5DUserData! u!gL @²ò×{ÙÑ<¤Õ T3[Ô9T3[ÓˆY}É*ë•ÄlJAÿÿ>û9«'ServiceShutdown F,:Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**PÖçåã{ÙÑ  «Ö& F9!0 €çåã{ÙÑ â$(ÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[<ÉÝ&ÎîË|Ö Žp)·cîÿÿðP**×çåã{ÙÑ  «Ö& Fõ!1 €çåã{ÙÑ â$(×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£   --SYSTEMNT AUTHORITYç-------g%–„**ÈØh—îã{ÙÑ  «Ö& F¯!5& €h—îã{ÙÑ â$XØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ»?ºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId ÉÖ&È**˜ÙÈøðã{ÙÑ  «Ö& F!1 €Èøðã{ÙÑ â$„ÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--iv˜** ÚÈøðã{ÙÑ  «Ö& F…!1@ €Èøðã{ÙÑ â$„ÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨Û Aÿã{ÙÑ  «Ö& F‘!1 € Aÿã{ÙÑ â$„ÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ìC:\Windows\System32\services.exe--i¨**(Ü Aÿã{ÙÑ  «Ö& F !1@ € Aÿã{ÙÑ â$„ÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeORK(**¨Ý+eä{ÙÑ  «Ö& F!1 €+eä{ÙÑ â$PÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ìC:\Windows\System32\services.exe--SeS¨** Þ+eä{ÙÑ  «Ö& F !1@ €+eä{ÙÑ â$PÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ßL‰ ä{ÙÑ  «Ö& F!1 €L‰ ä{ÙÑ â$„ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--a˜** àL‰ ä{ÙÑ  «Ö& F…!1@ €L‰ ä{ÙÑ â$„àMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivileges. **˜ál­ä{ÙÑ  «Ö& F!1 €l­ä{ÙÑ â$PáMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--˜** âl­ä{ÙÑ  «Ö& F…!1@ €l­ä{ÙÑ â$PâMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **€ã6œeä{ÙÑ  «Ö& Fe!1( €6œeä{ÙÑ\Reg$„ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÉ "  BWIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostüC:\Windows\System32\winlogon.exe127.0.0.10€**Øä6œeä{ÙÑ  «Ö& F½!1 €6œeä{ÙÑ\Reg$„äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAéÍUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10AudØ**Øå6œeä{ÙÑ  «Ö& F½!1 €6œeä{ÙÑ\Reg$„åMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  "   BWIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAyÎUser32 NegotiateWIN-03DLIIOFRRA--üC:\Windows\System32\winlogon.exe127.0.0.10Ø** æ6œeä{ÙÑ  «Ö& F!1@ €6œeä{ÙÑ\Reg$„æMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  ’ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAéÍSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeŒyÙÑ Ü **@ç£?Úä{ÙÑ  «Ö& F'!1 €£?Úä{ÙÑ\Reg$HçMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     --ANONYMOUS LOGONNT AUTHORITY©€NtLmSsp NTLM-NTLM V1---Ö&@**èàL»ä{ÙÑ  «Ö& Fõ!0 €àL»ä{ÙÑ\Reg4èMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…› "dWIN-03DLIIOFRRA$WORKGROUPç¡Üä{ÙÑàL»ä{ÙÑÐC:\Program Files\VMware\VMware Tools\vmtoolsd.exej7bŒ**˜é‡ òä{ÙÑ  «Ö& F!1 €‡ òä{ÙÑ\Reg$„éMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--7bŒ˜** ê‡ òä{ÙÑ  «Ö& F…!1@ €‡ òä{ÙÑ\Reg$„êMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegej7bŒ **˜ëQ®ûå{ÙÑ  «Ö& F!1 €Q®ûå{ÙÑ\Reg$HëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--7bŒ˜** ìQ®ûå{ÙÑ  «Ö& F…!1@ €Q®ûå{ÙÑ\Reg$HìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege¬Œ **p팸è{ÙÑ  «Ö& Fk!1 €Œ¸è{ÙÑ$PíMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ìC:\Windows\System32\services.exe--p**ˆîŒ¸è{ÙÑ  «Ö& Fƒ!1@ €Œ¸è{ÙÑ$PîMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeoˆ**øïC»¼´0ÚÑ  «Ö& Fó!0 €C»¼´0ÚÑ<ïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…›  bWIN-03DLIIOFRRA$WORKGROUPçBj8ú{ÙÑ@°©´0ÚÑÐC:\Program Files\VMware\VMware Tools\vmtoolsd.exe.ø**@ð¡åQ×0ÚÑ  «Ö& F;!6| €¡åQ×0ÚÑ$PðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀµ»?8+LÀ ˜$BŽâ)½€òKDÿÿ8ðAÿÿ+= MemberName Aÿÿ)= MemberSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ)= TargetSid Aÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  -ÚÔ.›hVdí:éAdministratorsBuiltin ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAéÍ-„@**ÀñF‚´ä0ÚÑ  «Ö& F»!6s €F‚´ä0ÚÑ$TñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security NÄsõ…NÄsM÷¨ûl‹ŒªªsâÿÿÖðAÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ)= TargetSid Aÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList fsirWIN-03DLIIOFRRAÚÔ.›hVdí:èÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAéÍ-vÀ**Hò§ã¶ä0ÚÑ  «Ö& FA!1( €§ã¶ä0ÚÑ$PòMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÉ  :WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhost$C:\Windows\System32\lsass.exe--hiH** ó§ã¶ä0ÚÑ  «Ö& F•!1 €§ã¶ä0ÚÑ$PóMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£   :WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¡Advapi NegotiateWIN-03DLIIOFRRA--$C:\Windows\System32\lsass.exe-- " ** ô§ã¶ä0ÚÑ  «Ö& F•!1 €§ã¶ä0ÚÑ$PôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£   :WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¶Advapi NegotiateWIN-03DLIIOFRRA--$C:\Windows\System32\lsass.exe-- **õ§ã¶ä0ÚÑ  «Ö& F!1@ €§ã¶ä0ÚÑ$PõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ëÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¡SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**ÀöK˜Úä0ÚÑ  «Ö& F·!1 €K˜Úä0ÚÑ$ˆöMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjE”˜gèjn‡-P‹ÿv‘‹*ÿÿðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¶%–„TxÀ**€÷K˜Úä0ÚÑ  «Ö& Fu!1 €K˜Úä0ÚÑ$ˆ÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjE”ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¡ €**èø£M”^1ÚÑ  «Ö& Fß!6} €£M”^1ÚÑ$ øMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀµ -ÚÔ.›hVdí:èAdministratorsBuiltin ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAéÍ-**è**xùTóe1ÚÑ  «Ö& Fm!1' €Tóe1ÚÑ$ÔùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Nå4ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAyδx**Àúò0f1ÚÑ ê@S†6 !gL @ò0f1ÚÑ8(ú T3[Ô9icroÀ**(û¥RYr1ÚÑ  «Ö& F!0 €¥RYr1ÚÑ€Þ. ûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[<ro(**ü¥RYr1ÚÑ  «Ö& Fõ!1 €¥RYr1ÚÑ€Þ. üMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£   --SYSTEMNT AUTHORITYç-------cro**@ý†9er1ÚÑ  «Ö& F#!5& €†9er1ÚÑ€Þ.XýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ»?õÉicro@**˜þæšgr1ÚÑ  «Ö& F!1 €æšgr1ÚÑ€Þ.ŒþMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--ro˜** ÿæšgr1ÚÑ  «Ö& F…!1@ €æšgr1ÚÑ€Þ.ŒÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegecro **¨(ãur1ÚÑ  «Ö& F‘!1 €(ãur1ÚÑ€Þ.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--èC:\Windows\System32\services.exe--o¨**((ãur1ÚÑ  «Ö& F !1@ €(ãur1ÚÑ€Þ.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegecro(**¨è¥zr1ÚÑ  «Ö& F!1 €è¥zr1ÚÑ€Þ.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--èC:\Windows\System32\services.exe--cro¨** è¥zr1ÚÑ  «Ö& F !1@ €è¥zr1ÚÑ€Þ.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeo **˜j+„r1ÚÑ  «Ö& F!1 €j+„r1ÚÑ€Þ.ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--ro˜** j+„r1ÚÑ  «Ö& F…!1@ €j+„r1ÚÑ€Þ.ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegecro **˜ŠO‹r1ÚÑ  «Ö& F!1 €ŠO‹r1ÚÑ€Þ.\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--ro˜** ŠO‹r1ÚÑ  «Ö& F…!1@ €ŠO‹r1ÚÑ€Þ.\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegecro **@^/s1ÚÑ  «Ö& F'!1 €^/s1ÚÑ\Reg\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     --ANONYMOUS LOGONNT AUTHORITY(KNtLmSsp NTLM-NTLM V1---@** PVîr1ÚÑ  «Ö& Fõ!0 €PVîr1ÚÑ\Reg, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…› "dWIN-03DLIIOFRRA$WORKGROUPçÞ35s1ÚÑPVîr1ÚÑÌC:\Program Files\VMware\VMware Tools\vmtoolsd.exedow**˜ 3T s1ÚÑ  «Ö& F!1 €3T s1ÚÑ\Reg Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--IO˜**  3T s1ÚÑ  «Ö& F…!1@ €3T s1ÚÑ\Reg Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeile **˜ ³4Þs1ÚÑ  «Ö& F!1 €³4Þs1ÚÑ\Reg\ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜**  ³4Þs1ÚÑ  «Ö& F…!1@ €³4Þs1ÚÑ\Reg\ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeEM **`‰KÏt1ÚÑ  «Ö& FW!1( €‰KÏt1ÚÑ”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÉ  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10µ`**°‰KÏt1ÚÑ  «Ö& F©!1 €‰KÏt1ÚÑ”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAºUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10°**pÒ¹Œx1ÚÑ  «Ö& Fk!1 €Ò¹Œx1ÚÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe-- p**ˆÒ¹Œx1ÚÑ  «Ö& Fƒ!1@ €Ò¹Œx1ÚÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**x>DŠ´1ÚÑ  «Ö& Fm!1' €>DŠ´1ÚÑTMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Nå4ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAº x**Ànµµ1ÚÑ ê@S†6 !gL @nµµ1ÚÑ@l T3[Ô9ilegÀ**(JêýÂ1ÚÑ  «Ö& F!0 €JêýÂ1ÚÑã0$(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî[<S~R(**JêýÂ1ÚÑ  «Ö& Fõ!1 €JêýÂ1ÚÑã0$(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£   --SYSTEMNT AUTHORITYç-------RA**@kÃ1ÚÑ  «Ö& F#!5& €kÃ1ÚÑã0$XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ»?ØÉ**@**˜ËoÃ1ÚÑ  «Ö& F!1 €ËoÃ1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--`â˜** ËoÃ1ÚÑ  «Ö& F…!1@ €ËoÃ1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨ ¸Ã1ÚÑ  «Ö& F‘!1 € ¸Ã1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--S¨**( ¸Ã1ÚÑ  «Ö& F !1@ € ¸Ã1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeN-0(**¨ÍzÃ1ÚÑ  «Ö& F!1 €ÍzÃ1ÚÑã0$TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--Se¨** ÍzÃ1ÚÑ  «Ö& F !1@ €ÍzÃ1ÚÑã0$TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeW **˜N$Ã1ÚÑ  «Ö& F!1 €N$Ã1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--OR˜** N$Ã1ÚÑ  «Ö& F…!1@ €N$Ã1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜®a&Ã1ÚÑ  «Ö& F!1 €®a&Ã1ÚÑã0$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--le˜**  ®a&Ã1ÚÑ  «Ö& F…!1@ €®a&Ã1ÚÑã0$„ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@!Nb×Ã1ÚÑ  «Ö& F'!1 €Nb×Ã1ÚÑ\Reg$H!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£     --ANONYMOUS LOGONNT AUTHORITY­INtLmSsp NTLM-NTLM V1---le@**˜"rÎ Ä1ÚÑ  «Ö& F!1 €rÎ Ä1ÚÑ\Reg$H"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Se˜rity ®x«õElfChnk#x#x€pûþíû*-µðóè=Î÷²›f?øm©MFº&ë eCm4U‡­GÝ%­eh**Ð #rÎ Ä1ÚÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F!1@ €rÎ Ä1ÚÑ\Reg$H#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É®x«C‚Å“Â-žhÿÿ\ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeIN-0Ð **0$üÚäÄ1ÚÑ  «Ö& F!1 €üÚäÄ1ÚÑ\Reg$T$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë Éï:ÚÁ¹öǬr›fË8(~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ir0** %üÚäÄ1ÚÑ  «Ö& F…!1@ €üÚäÄ1ÚÑ\Reg$T%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegenlo **ˆ&üQˆÆ1ÚÑ  «Ö& Fƒ!1( €üQˆÆ1ÚÑ$&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk­`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostðC:\Windows\System32\winlogon.exe127.0.0.10uˆ**°'üQˆÆ1ÚÑ  «Ö& F©!1 €üQˆÆ1ÚÑ$'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA4QUser32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10=°**p(©Ê1ÚÑ  «Ö& Fk!1 €©Ê1ÚÑ$T(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--op**ˆ)©Ê1ÚÑ  «Ö& Fƒ!1@ €©Ê1ÚÑ$T)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegenˆ**Ø*PÜŸa÷ÞÑ  «Ö& FÓ!0 €PÜŸa÷ÞÑ<*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Ý% ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName   bWIN-03DLIIOFRRA$WORKGROUPçë?P2ÚÑPÜŸa÷ÞÑÀC:\Program Files\VMware\VMware Tools\vmtoolsd.exe>Ø**X+K\”|÷ÞÑ  «Ö& FM!1( €K\”|÷ÞÑ$+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk­   >WIN-03DLIIOFRRA$WORKGROUPçarchirWIN-03DLIIOFRRAlocalhostlocalhostL C:\Windows\System32\consent.exe::10softX**¨,K\”|÷ÞÑ  «Ö& FŸ!1 €K\”|÷ÞÑ$,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë    >WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:éarchirWIN-03DLIIOFRRA¶]CredProNegotiateWIN-03DLIIOFRRA--L C:\Windows\System32\consent.exe::10 ¨**¨-K\”|÷ÞÑ  «Ö& FŸ!1 €K\”|÷ÞÑ$-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë    >WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAÌ]CredProNegotiateWIN-03DLIIOFRRA--L C:\Windows\System32\consent.exe::10-K¨**.K\”|÷ÞÑ  «Ö& F!1@ €K\”|÷ÞÑ$.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É ÚÔ.›hVdí:éarchirWIN-03DLIIOFRRA¶]SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegege **À/lª”|÷ÞÑ  «Ö& F»!1 €lª”|÷ÞÑ$\/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjm4˜gèjn‡-P‹ÿv‘‹*ÿÿðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType  ÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAÌ]hÀ**X0DI1†÷ÞÑ  «Ö& FM!1( €DI1†÷ÞÑ$0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk­   >WIN-03DLIIOFRRA$WORKGROUPçarchirWIN-03DLIIOFRRAlocalhostlocalhost,C:\Windows\System32\consent.exe::10 AÿÿX**¨1DI1†÷ÞÑ  «Ö& FŸ!1 €DI1†÷ÞÑ$1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë    >WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAeCredProNegotiateWIN-03DLIIOFRRA--,C:\Windows\System32\consent.exe::10ndo¨**¨2DI1†÷ÞÑ  «Ö& FŸ!1 €DI1†÷ÞÑ$2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë    >WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAyCredProNegotiateWIN-03DLIIOFRRA--,C:\Windows\System32\consent.exe::10 ¨**3DI1†÷ÞÑ  «Ö& F!1@ €DI1†÷ÞÑ$3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É ÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAeSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**€4e—1†÷ÞÑ  «Ö& Fy!1 €e—1†÷ÞÑ$4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjm4 ÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAyY€**H5Z~R•÷ÞÑ  «Ö& F?!6| €Z~R•÷ÞÑ$è5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀeC8+LÀ ˜$BŽâ)½€òKDÿÿ8ðAÿÿ+= MemberName Aÿÿ)= MemberSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ)= TargetSid Aÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList   -ÚÔ.›hVdí:èAdministratorsBuiltin ÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAe-H**ˆ6J­«œ÷ÞÑ  «Ö& F!1' €J­«œ÷ÞÑ$\6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N­G-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA4Qserˆ**€7Œõ¹œ÷ÞÑ  «Ö& Fy!1 €Œõ¹œ÷ÞÑ$7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjm4 ÚÔ.›hVdí:éarchirWIN-03DLIIOFRRAeCE€**`8*S ÷ÞÑ  «Ö& FW!1( €*S ÷ÞÑ$8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk­  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhost¨C:\Windows\System32\winlogon.exe127.0.0.10OFR`**°9*S ÷ÞÑ  «Ö& F©!1 €*S ÷ÞÑ$9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¨User32 NegotiateWIN-03DLIIOFRRA--¨C:\Windows\System32\winlogon.exe127.0.0.10yT°**°:*S ÷ÞÑ  «Ö& F©!1 €*S ÷ÞÑ$:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¨User32 NegotiateWIN-03DLIIOFRRA--¨C:\Windows\System32\winlogon.exe127.0.0.10°**;*S ÷ÞÑ  «Ö& F!1@ €*S ÷ÞÑ$;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ÉÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¨SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **p< ÏCÂ÷ÞÑ  «Ö& Fk!1 € ÏCÂ÷ÞÑ$À<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ= ÏCÂ÷ÞÑ  «Ö& Fƒ!1@ € ÏCÂ÷ÞÑ$À=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegePˆ**p>ª%È÷ÞÑ  «Ö& Fk!1 €ª%È÷ÞÑ$\>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ?ª%È÷ÞÑ  «Ö& Fƒ!1@ €ª%È÷ÞÑ$\?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeNˆ**p@)C-È÷ÞÑ  «Ö& Fk!1 €)C-È÷ÞÑ$˜ @Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--dp**ˆA)C-È÷ÞÑ  «Ö& Fƒ!1@ €)C-È÷ÞÑ$˜ AMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**ÐBtË÷ÞÑ  «Ö& FÅ!5( €tË÷ÞÑ$BMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYeh ëYã™O“Oªß®@ÚÿÿÎðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ5'=AuditSourceName Aÿÿ1#= EventSourceId Aÿÿ)= ProcessId Aÿÿ-= ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit6à¨C:\Windows\System32\VSSVC.exeditiÐ**ØCtË÷ÞÑ  «Ö& FÓ!5) €tË÷ÞÑ$CMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYeh  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit6à¨C:\Windows\System32\VSSVC.exeoØ**pDÁQòá÷ÞÑ  «Ö& Fk!1 €ÁQòá÷ÞÑ$ÀDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆEÁQòá÷ÞÑ  «Ö& Fƒ!1@ €ÁQòá÷ÞÑ$ÀEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pF¦€ùÞÑ  «Ö& Fk!1 €¦€ùÞÑ$ÌFMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆG¦€ùÞÑ  «Ö& Fƒ!1@ €¦€ùÞÑ$ÌGMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pHRœùÞÑ  «Ö& Fk!1 €RœùÞÑ$ÌHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁë     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆIRœùÞÑ  «Ö& Fƒ!1@ €RœùÞÑ$ÌIMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«É  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØJ®SIùÞÑ  «Ö& FÓ!5( €®SIùÞÑ$È JMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYeh  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditel#ì C:\Windows\System32\VSSVC.exeØ**ØK¿zIùÞÑ  «Ö& FÓ!5) €¿zIùÞÑ$È KMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYeh  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditel#ì C:\Windows\System32\VSSVC.exeØ**ØLƃ÷ùÞÑ  «Ö& FÓ!5( €Æƒ÷ùÞÑ$È LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYeh  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudite=(ì C:\Windows\System32\VSSVC.exeØ**ØMת÷ùÞÑ  «Ö& FÓ!5) €×ª÷ùÞÑ$È MMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYeh  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudite=(ì C:\Windows\System32\VSSVC.exeØ**PN9”| ùÞÑ  «Ö& FG!5+ €9”| ùÞÑ$4NMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡TØ®b¨ãb]Áh˺‘~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= ObjectServer Aÿÿ+= ObjectType Aÿÿ+= ObjectName Aÿÿ'=HandleId Aÿÿ!=OldSd Aÿÿ!=NewSd Aÿÿ)= ProcessId Aÿÿ-= ProcessName   hFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeP**¸Ok } ùÞÑ  «Ö& F­!5+ €k } ùÞÑ$4OMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  dFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-math-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸PŒW} ùÞÑ  «Ö& F­!5+ €ŒW} ùÞÑ$4PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  dFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸Q­¥} ùÞÑ  «Ö& F³!5+ €­¥} ùÞÑ$4QMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**ÀRÎó} ùÞÑ  «Ö& F¹!5+ €Îó} ùÞÑ$4RMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  pFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**¸SïA~ ùÞÑ  «Ö& F¯!5+ €ïA~ ùÞÑ$4SMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸T!·~ ùÞÑ  «Ö& F³!5+ €!·~ ùÞÑ$4TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸UB ùÞÑ  «Ö& F³!5+ €B ùÞÑ$4UMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-xstate-l2-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸VcS ùÞÑ  «Ö& F±!5+ €cS ùÞÑ$4VMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  hFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-string-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸W•È ùÞÑ  «Ö& F­!5+ €•È ùÞÑ$4WMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  dFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-time-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸XÇ=€ ùÞÑ  «Ö& F³!5+ €Ç=€ ùÞÑ$4XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-process-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**ÈYè‹€ ùÞÑ  «Ö& F¿!5+ €è‹€ ùÞÑ$4YMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  vFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-localization-l1-2-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÈ**ÈZ Ú€ ùÞÑ  «Ö& FÃ!5+ € Ú€ ùÞÑ$4ZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  zFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÈ**¸[*( ùÞÑ  «Ö& F±!5+ €*( ùÞÑ$4[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  hFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-synch-l1-2-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**À\\ ùÞÑ  «Ö& F»!5+ €\ ùÞÑ$4\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  rFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**¸]}ë ùÞÑ  «Ö& F¯!5+ €}ë ùÞÑ$4]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-conio-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸^¯`‚ ùÞÑ  «Ö& F¯!5+ €¯`‚ ùÞÑ$4^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-file-l2-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**À_Ю‚ ùÞÑ  «Ö& F·!5+ €Ð®‚ ùÞÑ$4_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  nFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**`#rƒ ùÞÑ  «Ö& F‰!5+ €#rƒ ùÞÑ$4`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  @FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\ucrtbase.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe**ÀaDÀƒ ùÞÑ  «Ö& F·!5+ €DÀƒ ùÞÑ$4aMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  nFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**Èb†\„ ùÞÑ  «Ö& F¿!5+ €†\„ ùÞÑ$4bMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  vFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-eventing-provider-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÈ**¸c§ª„ ùÞÑ  «Ö& F³!5+ €§ª„ ùÞÑ$4cMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸dÉø„ ùÞÑ  «Ö& F¯!5+ €Éø„ ùÞÑ$4dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-file-l1-2-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸e •… ùÞÑ  «Ö& F³!5+ € •… ùÞÑ$4eMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-crt-private-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸f= † ùÞÑ  «Ö& F±!5+ €= † ùÞÑ$4fMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  hFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸g^X† ùÞÑ  «Ö& F­!5+ €^X† ùÞÑ$4gMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  dFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸h͆ ùÞÑ  «Ö& F­!5+ €Í† ùÞÑ$4hMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  dFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸i±‡ ùÞÑ  «Ö& F³!5+ €±‡ ùÞÑ$4iMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**ÀjÒi‡ ùÞÑ  «Ö& F¹!5+ €Òi‡ ùÞÑ$4jMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  pFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**¸k%-ˆ ùÞÑ  «Ö& F¯!5+ €%-ˆ ùÞÑ$4kMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸lV¢ˆ ùÞÑ  «Ö& F³!5+ €V¢ˆ ùÞÑ$4lMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸mwðˆ ùÞÑ  «Ö& F³!5+ €wðˆ ùÞÑ$4mMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸n™>‰ ùÞÑ  «Ö& F±!5+ €™>‰ ùÞÑ$4nMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  hFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸oʳ‰ ùÞÑ  «Ö& F­!5+ €Ê³‰ ùÞÑ$4oMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  dFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸pü(Š ùÞÑ  «Ö& F³!5+ €ü(Š ùÞÑ$4pMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**Èq PŠ ùÞÑ  «Ö& F¿!5+ € PŠ ùÞÑ$4qMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  vFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÈ**Èr>ÅŠ ùÞÑ  «Ö& FÃ!5+ €>ÅŠ ùÞÑ$4rMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  zFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÈ**¸sp:‹ ùÞÑ  «Ö& F±!5+ €p:‹ ùÞÑ$4sMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  hFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**Àt‘ˆ‹ ùÞÑ  «Ö& F»!5+ €‘ˆ‹ ùÞÑ$4tMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  rFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**¸u²Ö‹ ùÞÑ  «Ö& F¯!5+ €²Ö‹ ùÞÑ$4uMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸vÓ$Œ ùÞÑ  «Ö& F¯!5+ €Ó$Œ ùÞÑ$4vMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**ÀwÁŒ ùÞÑ  «Ö& F·!5+ €ÁŒ ùÞÑ$4wMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  nFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÀ**x7 ùÞÑ  «Ö& F‰!5+ €7 ùÞÑ$4xMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  @FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\ucrtbase.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe  «Ö& F5+ €X] ùÞÑ$4yMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bU‡  WIN-03DLIIOFRRA$WORKGROUPçSecurityFileElfChnkyÐyЀÐü ÿ3ÐKºÄÓîâóè =Î÷²›f?øm©MFº5Y&UCÝQ»õ^-V-**0 yX] ùÞÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F{!5+ €X] ùÞÑ$4yMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   nFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe0 **ÈzŠÒ ùÞÑ  «Ö& F¿!5+ €ŠÒ ùÞÑ$4zMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  vFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-eventing-provider-l1-1-0.dlldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeÈ**¸{« Ž ùÞÑ  «Ö& F³!5+ €« Ž ùÞÑ$4{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dllxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**¸|ÌnŽ ùÞÑ  «Ö& F¯!5+ €ÌnŽ ùÞÑ$4|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  fFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll¤S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeITY¸**¸}í¼Ž ùÞÑ  «Ö& F³!5+ €í¼Ž ùÞÑ$4}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  jFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dllŒS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exe¸**Ð~d½$ùÞÑ  «Ö& FÅ!5( €d½$ùÞÑ$Ì~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY- ëYã™O“Oªß®@ÚÿÿÎâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ5 '=AuditSourceName Aÿÿ1 #= EventSourceId Aÿÿ) = ProcessId Aÿÿ- = ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit€+ì C:\Windows\System32\VSSVC.exeÐ**Ød½$ùÞÑ  «Ö& FÓ!5) €d½$ùÞÑ$ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit€+ì C:\Windows\System32\VSSVC.exeiØ**Ø€˜}t(ùÞÑ  «Ö& FÓ!5( €˜}t(ùÞÑ$P€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit>W.ì C:\Windows\System32\VSSVC.exemØ**ؘ}t(ùÞÑ  «Ö& FÓ!5) €˜}t(ùÞÑ$PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit>W.ì C:\Windows\System32\VSSVC.exeUØ**Ø‚rX¢,ùÞÑ  «Ö& FÓ!5( €rX¢,ùÞÑ$P‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit1ì C:\Windows\System32\VSSVC.exe Ø**؃rX¢,ùÞÑ  «Ö& FÓ!5) €rX¢,ùÞÑ$PƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit1ì C:\Windows\System32\VSSVC.exegØ**Ø„Ð4@1ùÞÑ  «Ö& FÓ!5( €Ð4@1ùÞÑ$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditK4ì C:\Windows\System32\VSSVC.exeÿØ**Ø…Ð4@1ùÞÑ  «Ö& FÓ!5) €Ð4@1ùÞÑ$…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditK4ì C:\Windows\System32\VSSVC.exeØ**؆KUÿ5ùÞÑ  «Ö& FÓ!5( €KUÿ5ùÞÑ$†Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditúË6ì C:\Windows\System32\VSSVC.exe Ø**؇KUÿ5ùÞÑ  «Ö& FÓ!5) €KUÿ5ùÞÑ$‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditúË6ì C:\Windows\System32\VSSVC.exe|Ø**؈˜?ùÞÑ  «Ö& FÓ!5( €˜?ùÞÑ$̈Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÐ:ì C:\Windows\System32\VSSVC.exe\Ø**؉˜?ùÞÑ  «Ö& FÓ!5) €˜?ùÞÑ$̉Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÐ:ì C:\Windows\System32\VSSVC.exe$Ø**ÈŠw¯!AùÞÑ  «Ö& F¿!5+ €w¯!AùÞÑ$4ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  vFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll(S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeTakÈ**È‹ºK"AùÞÑ  «Ö& F¿!5+ €ºK"AùÞÑ$4‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  vFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe\S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exerSiÈ**ÈŒX&AùÞÑ  «Ö& FÁ!5+ €X&AùÞÑ$4ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  xFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)À C:\Windows\servicing\TrustedInstaller.exeOFÈ**Ø/¨yEùÞÑ  «Ö& FÓ!5( €/¨yEùÞÑ$PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit„Ü<ì C:\Windows\System32\VSSVC.exeØ**ØŽ/¨yEùÞÑ  «Ö& FÓ!5) €/¨yEùÞÑ$PŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit„Ü<ì C:\Windows\System32\VSSVC.exeØ**˜î³ùÞÑ  «Ö& F!1 €˜î³ùÞÑ$ØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁM<ï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Ay**à˜î³ùÞÑ  «Ö& FÕ!1@ €˜î³ùÞÑ$ØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«UCM<®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege €J­«œà**p‘`ÒñùÞÑ  «Ö& Fk!1 €`ÒñùÞÑ$È ‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁM<    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ’`ÒñùÞÑ  «Ö& Fƒ!1@ €`ÒñùÞÑ$È ’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«UC  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege ˆ**Ø“¬è>øùÞÑ  «Ö& FÓ!5( €¬è>øùÞÑ$¸ “Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit¶gjPC:\Windows\System32\VSSVC.exeØ**Ø”¬è>øùÞÑ  «Ö& FÓ!5) €¬è>øùÞÑ$¸ ”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY-  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit¶gjPC:\Windows\System32\VSSVC.exeØ**P•s¢AúÞÑ  «Ö& FE!6| €s¢AúÞÑ$¸ •Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security 8+LÀÝQ8+LÀ ˜$BŽâ)½€òKDÿÿ8âAÿÿ+ = MemberName Aÿÿ) = MemberSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ) = TargetSid Aÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList  *  -ÚÔ.›hVdí:èPerformance Log UsersBuiltin /WIN-03DLIIOFRRA$WORKGROUPç-nmenP**–ÃÙ¾'ûÞÑ  «Ö& Fÿ!0À €ÃÙ¾'ûÞÑ$ –Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security =¢7-V=¢7-†Mñ-Û¿•X^ÿÿRâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ# =Module Aÿÿ+ = ReturnCode   WIN-03DLIIOFRRA$WORKGROUPçncrypt.dll**À—;¾ (ûÞÑ  «Ö& Fµ!0 €;¾ (ûÞÑ$ЗMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Yü"ý–ðxä­{Úç É×hÿ^ÿÿRâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ProviderName Aÿÿ1 #= AlgorithmName Aÿÿ% =KeyName Aÿÿ% =KeyType Aÿÿ- = KeyFilePath Aÿÿ) = Operation Aÿÿ+ = ReturnCode   N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458?À**˜˜;¾ (ûÞÑ  «Ö& F!0Å €;¾ (ûÞÑ$ИMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^Ø‘>Áד8ƒn<ùfT×*ÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ProviderName Aÿÿ1 #= AlgorithmName Aÿÿ% =KeyName Aÿÿ% =KeyType Aÿÿ) = Operation Aÿÿ+ = ReturnCode   NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480 ˜**H™l3(ûÞÑ  «Ö& F?!0 €l3(ûÞÑ$ЙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458 H**Pš}Z(ûÞÑ  «Ö& FK!0Å €}Z(ûÞÑ$КMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480-P**H›(ûÞÑ  «Ö& F?!0 €(ûÞÑ$ЛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pœ<(ûÞÑ  «Ö& FK!0Å €<(ûÞÑ$ÐœMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480-P**H«(ûÞÑ  «Ö& F?!0 €«(ûÞÑ$À Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458kenH**Pž«(ûÞÑ  «Ö& FK!0Å €«(ûÞÑ$À žMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HŸa=(ûÞÑ  «Ö& F?!0 €a=(ûÞÑ$À ŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458$H**P a=(ûÞÑ  «Ö& FK!0Å €a=(ûÞÑ$À  Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H¡æu(ûÞÑ  «Ö& F?!0 €æu(ûÞÑ$À ¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458ecuH**P¢æu(ûÞÑ  «Ö& FK!0Å €æu(ûÞÑ$À ¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480SP**H£j®(ûÞÑ  «Ö& F?!0 €j®(ûÞÑ$À £Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458ritH**P¤j®(ûÞÑ  «Ö& FK!0Å €j®(ûÞÑ$À ¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**H¥ÿ (ûÞÑ  «Ö& F?!0 €ÿ (ûÞÑ$Ð¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458®bU‡H**P¦ÿ (ûÞÑ  «Ö& FK!0Å €ÿ (ûÞÑ$ЦMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480cP**H§„F!(ûÞÑ  «Ö& F?!0 €„F!(ûÞÑ$ЧMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458IN-H**P¨„F!(ûÞÑ  «Ö& FK!0Å €„F!(ûÞÑ$ШMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**H©¦"(ûÞÑ  «Ö& F?!0 €¦"(ûÞÑ$ЩMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458ROUH**Pª¦"(ûÞÑ  «Ö& FK!0Å €¦"(ûÞÑ$ЪMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**H«ÏS$(ûÞÑ  «Ö& F?!0 €ÏS$(ûÞÑ$ЫMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458FilH**P¬ÏS$(ûÞÑ  «Ö& FK!0Å €ÏS$(ûÞÑ$ЬMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**H­TŒ%(ûÞÑ  «Ö& F?!0 €TŒ%(ûÞÑ$ЭMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458m32H**P®TŒ%(ûÞÑ  «Ö& FK!0Å €TŒ%(ûÞÑ$ЮMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480LP**H¯a'(ûÞÑ  «Ö& F?!0 €a'(ûÞÑ$ЯMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458imeH**P°a'(ûÞÑ  «Ö& FK!0Å €a'(ûÞÑ$аMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**H±Ñ)(ûÞÑ  «Ö& F?!0 €Ñ)(ûÞÑ$бMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458dllH**P²Ñ)(ûÞÑ  «Ö& FK!0Å €Ñ)(ûÞÑ$вMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480lP**H³ÊX+(ûÞÑ  «Ö& F?!0 €ÊX+(ûÞÑ$гMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458AI(H**P´Ú+(ûÞÑ  «Ö& FK!0Å €Ú+(ûÞÑ$дMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480\P**Hµoß,(ûÞÑ  «Ö& F?!0 €oß,(ûÞÑ$еMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458CRSH**P¶oß,(ûÞÑ  «Ö& FK!0Å €oß,(ûÞÑ$жMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480-P**H·W/(ûÞÑ  «Ö& F?!0 €W/(ûÞÑ$зMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458CH**P¸h)/(ûÞÑ  «Ö& FK!0Å €h)/(ûÞÑ$иMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480(P**H¹PL1(ûÞÑ  «Ö& F?!0 €PL1(ûÞÑ$йMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458lerH**PºPL1(ûÞÑ  «Ö& FK!0Å €PL1(ûÞÑ$кMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480DP**H»H–3(ûÞÑ  «Ö& F?!0 €H–3(ûÞÑ$лMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458**H**P¼H–3(ûÞÑ  «Ö& FK!0Å €H–3(ûÞÑ$мMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480ÀP**H½ ’5(ûÞÑ  «Ö& F?!0 € ’5(ûÞÑ$нMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P¾ ’5(ûÞÑ  «Ö& FK!0Å € ’5(ûÞÑ$оMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H¿µ7(ûÞÑ  «Ö& F?!0 €µ7(ûÞÑ$пMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÀµ7(ûÞÑ  «Ö& FK!0Å €µ7(ûÞÑ$ÐÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480.P**HÁß°9(ûÞÑ  «Ö& F?!0 €ß°9(ûÞÑ$ÐÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÂß°9(ûÞÑ  «Ö& FK!0Å €ß°9(ûÞÑ$ÐÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HÃÇÓ;(ûÞÑ  «Ö& F?!0 €ÇÓ;(ûÞÑ$ÐÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458MiH**PÄÇÓ;(ûÞÑ  «Ö& FK!0Å €ÇÓ;(ûÞÑ$ÐÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HÅŸÏ=(ûÞÑ  «Ö& F?!0 €ŸÏ=(ûÞÑ$ÐÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458ecuH**PƯö=(ûÞÑ  «Ö& FK!0Å €¯ö=(ûÞÑ$ÐÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HǨ@@(ûÞÑ  «Ö& F?!0 €¨@@(ûÞÑ$ÐÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458¥º>;H**PȨ@@(ûÞÑ  «Ö& FK!0Å €¨@@(ûÞÑ$ÐÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480 P**HÉNÇA(ûÞÑ  «Ö& F?!0 €NÇA(ûÞÑ$ÐÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458 H**PÊ^îA(ûÞÑ  «Ö& FK!0Å €^îA(ûÞÑ$ÐÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HË%ÃC(ûÞÑ  «Ö& F?!0 €%ÃC(ûÞÑ$ÐËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÌ6êC(ûÞÑ  «Ö& FK!0Å €6êC(ûÞÑ$ÐÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480-P**HÍ.4F(ûÞÑ  «Ö& F?!0 €.4F(ûÞÑ$ÐÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÎ.4F(ûÞÑ  «Ö& FK!0Å €.4F(ûÞÑ$ÐÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480dP**HÏõH(ûÞÑ  «Ö& F?!0 €õH(ûÞÑ$ÐÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–5Y  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%24583DLH**PÐõH(ûÞÑ  «Ö& FK!0Å €õH(ûÞÑ$ÐÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>õ^  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P  «Ö& FSecuri0 €›I(ûÞÑ$ÐÑMicrosoft-Windows-Security-AuditingElfChnkÑ'Ñ'€ ühÿziÂð¨-  âóè =Î÷²›f?øm©MFº»&¥ **˜ Ñ›I(ûÞÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! Fã!0 €›I(ûÞÑ$ÐÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»ü"ý–ðxä­{Úç É×hÿŒÿÿ€âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ProviderName Aÿÿ1 #= AlgorithmName Aÿÿ% =KeyName Aÿÿ% =KeyType Aÿÿ- = KeyFilePath Aÿÿ) = Operation Aÿÿ+ = ReturnCode   N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458F˜ **˜Ò«¶I(ûÞÑ  «Ö& F!0Å €«¶I(ûÞÑ$ÐÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥ Ø‘>Áד8ƒn<ùfT×*ÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ProviderName Aÿÿ1 #= AlgorithmName Aÿÿ% =KeyName Aÿÿ% =KeyType Aÿÿ) = Operation Aÿÿ+ = ReturnCode   NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480;DCL˜**HÓ¤L(ûÞÑ  «Ö& F?!0 €¤L(ûÞÑ$ÐÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458}H**PÔµ'L(ûÞÑ  «Ö& FK!0Å €µ'L(ûÞÑ$ÐÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HÕ­qN(ûÞÑ  «Ö& F?!0 €­qN(ûÞÑ$ÐÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458cesH**PÖ­qN(ûÞÑ  «Ö& FK!0Å €­qN(ûÞÑ$ÐÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480UP**H×èWQ(ûÞÑ  «Ö& F?!0 €èWQ(ûÞÑ$Ð×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458 H**PØù~Q(ûÞÑ  «Ö& FK!0Å €ù~Q(ûÞÑ$ÐØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480SP**HÙ3eT(ûÞÑ  «Ö& F?!0 €3eT(ûÞÑ$À ÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458 H**PÚDŒT(ûÞÑ  «Ö& FK!0Å €DŒT(ûÞÑ$À ÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**HÛ=ÖV(ûÞÑ  «Ö& F?!0 €=ÖV(ûÞÑ$À ÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÜ=ÖV(ûÞÑ  «Ö& FK!0Å €=ÖV(ûÞÑ$À ÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480\P**HÝÒX(ûÞÑ  «Ö& F?!0 €ÒX(ûÞÑ$À ÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÞÒX(ûÞÑ  «Ö& FK!0Å €ÒX(ûÞÑ$À ÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480-P**HßüôZ(ûÞÑ  «Ö& F?!0 €üôZ(ûÞÑ$À ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pà [(ûÞÑ  «Ö& FK!0Å € [(ûÞÑ$À àMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480uP**Háä](ûÞÑ  «Ö& F?!0 €ä](ûÞÑ$À áMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pâä](ûÞÑ  «Ö& FK!0Å €ä](ûÞÑ$À âMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**H㊞^(ûÞÑ  «Ö& F?!0 €Šž^(ûÞÑ$À ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P䊞^(ûÞÑ  «Ö& FK!0Å €Šž^(ûÞÑ$À äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**Hå0%`(ûÞÑ  «Ö& F?!0 €0%`(ûÞÑ$À åMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458onmH**Pæ@L`(ûÞÑ  «Ö& FK!0Å €@L`(ûÞÑ$À æMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480NP**Hç´]a(ûÞÑ  «Ö& F?!0 €´]a(ûÞÑ$À çMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458bugH**PèÅ„a(ûÞÑ  «Ö& FK!0Å €Å„a(ûÞÑ$À èMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**Hé­§c(ûÞÑ  «Ö& F?!0 €­§c(ûÞÑ$À éMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458ÿÿH**Pê­§c(ûÞÑ  «Ö& FK!0Å €­§c(ûÞÑ$À êMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480P**Hë„£e(ûÞÑ  «Ö& F?!0 €„£e(ûÞÑ$ÐëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458rnCH**Pì•Êe(ûÞÑ  «Ö& FK!0Å €•Êe(ûÞÑ$ÐìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480=P**Hí®bh(ûÞÑ  «Ö& F?!0 €®bh(ûÞÑ$ÐíMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458\MaH**Pî®bh(ûÞÑ  «Ö& FK!0Å €®bh(ûÞÑ$ÐîMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480tP**Hï3›i(ûÞÑ  «Ö& F?!0 €3›i(ûÞÑ$ÐïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pð3›i(ûÞÑ  «Ö& FK!0Å €3›i(ûÞÑ$ÐðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hñ¸Ój(ûÞÑ  «Ö& F?!0 €¸Ój(ûÞÑ$ÐñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pò¸Ój(ûÞÑ  «Ö& FK!0Å €¸Ój(ûÞÑ$ÐòMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hó,åk(ûÞÑ  «Ö& F?!0 €,åk(ûÞÑ$ÐóMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pô,åk(ûÞÑ  «Ö& FK!0Å €,åk(ûÞÑ$ÐôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hõ öl(ûÞÑ  «Ö& F?!0 € öl(ûÞÑ$ÐõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pö öl(ûÞÑ  «Ö& FK!0Å € öl(ûÞÑ$ÐöMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H÷n(ûÞÑ  «Ö& F?!0 €n(ûÞÑ$Ð÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pø$/n(ûÞÑ  «Ö& FK!0Å €$/n(ûÞÑ$ÐøMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hù˜@o(ûÞÑ  «Ö& F?!0 €˜@o(ûÞÑ$ÐùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pú˜@o(ûÞÑ  «Ö& FK!0Å €˜@o(ûÞÑ$ÐúMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hû Rp(ûÞÑ  «Ö& F?!0 € Rp(ûÞÑ$ÐûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Püyp(ûÞÑ  «Ö& FK!0Å €yp(ûÞÑ$ÐüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hý²Øq(ûÞÑ  «Ö& F?!0 €²Øq(ûÞÑ$ÐýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pþ²Øq(ûÞÑ  «Ö& FK!0Å €²Øq(ûÞÑ$ÐþMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HÿÃr(ûÞÑ  «Ö& F?!0 €Ãr(ûÞÑ$ÐÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÃr(ûÞÑ  «Ö& FK!0Å €Ãr(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HÜ—t(ûÞÑ  «Ö& F?!0 €Ü—t(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pí¾t(ûÞÑ  «Ö& FK!0Å €í¾t(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hq÷u(ûÞÑ  «Ö& F?!0 €q÷u(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pq÷u(ûÞÑ  «Ö& FK!0Å €q÷u(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HWw(ûÞÑ  «Ö& F?!0 €Ww(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PWw(ûÞÑ  «Ö& FK!0Å €Ww(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hœ¶x(ûÞÑ  «Ö& F?!0 €œ¶x(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P¬Ýx(ûÞÑ  «Ö& FK!0Å €¬Ýx(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H A=z(ûÞÑ  «Ö& F?!0 €A=z(ûÞÑ$Ð Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P A=z(ûÞÑ  «Ö& FK!0Å €A=z(ûÞÑ$Ð Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H çÃ{(ûÞÑ  «Ö& F?!0 €çÃ{(ûÞÑ$Ð Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P çÃ{(ûÞÑ  «Ö& FK!0Å €çÃ{(ûÞÑ$Ð Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H [Õ|(ûÞÑ  «Ö& F?!0 €[Õ|(ûÞÑ$Ð Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Plü|(ûÞÑ  «Ö& FK!0Å €lü|(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H\~(ûÞÑ  «Ö& F?!0 €\~(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P\~(ûÞÑ  «Ö& FK!0Å €\~(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**Hum(ûÞÑ  «Ö& F?!0 €um(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P…”(ûÞÑ  «Ö& FK!0Å €…”(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H+(ûÞÑ  «Ö& F?!0 €+(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P+(ûÞÑ  «Ö& FK!0Å €+(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HÀz‚(ûÞÑ  «Ö& F?!0 €Àz‚(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÀz‚(ûÞÑ  «Ö& FK!0Å €Àz‚(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HUÚƒ(ûÞÑ  «Ö& F?!0 €UÚƒ(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**Pf„(ûÞÑ  «Ö& FK!0Å €f„(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HÚ…(ûÞÑ  «Ö& F?!0 €Ú…(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÚ…(ûÞÑ  «Ö& FK!0Å €Ú…(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**HÀ†(ûÞÑ  «Ö& F?!0 €À†(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PÀ†(ûÞÑ  «Ö& FK!0Å €À†(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H% ˆ(ûÞÑ  «Ö& F?!0 €% ˆ(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P% ˆ(ûÞÑ  «Ö& FK!0Å €% ˆ(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H˦‰(ûÞÑ  «Ö& F?!0 €Ë¦‰(ûÞÑ$ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P ˦‰(ûÞÑ  «Ö& FK!0Å €Ë¦‰(ûÞÑ$Ð Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H!£¢‹(ûÞÑ  «Ö& F?!0 €£¢‹(ûÞÑ$Ð!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P"³É‹(ûÞÑ  «Ö& FK!0Å €³É‹(ûÞÑ$Ð"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H#'ÛŒ(ûÞÑ  «Ö& F?!0 €'ÛŒ(ûÞÑ$Ð#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P$8(ûÞÑ  «Ö& FK!0Å €8(ûÞÑ$Ð$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H%ÍaŽ(ûÞÑ  «Ö& F?!0 €ÍaŽ(ûÞÑ$Ð%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P&ÍaŽ(ûÞÑ  «Ö& FK!0Å €ÍaŽ(ûÞÑ$Ð&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>¥  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480iP**H'As(ûÞÑ  «Ö& F?!0 €As(ûÞÑ$Ð'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–»  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H   «Ö& rosoft-Windows0Å €As(ûÞÑ$Ð(ElfChnk(|(|€¨ü€þŒÌ½5\NJåâóè =Î÷²›f?øm©MFº} &Â-±»ÝÌ**p (As(ûÞÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F»!0Å €As(ûÞÑ$Ð(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»Ø‘>Áד8ƒn<ùfT×XÿÿLâD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ProviderName Aÿÿ1 #= AlgorithmName Aÿÿ% =KeyName Aÿÿ% =KeyType Aÿÿ) = Operation Aÿÿ+ = ReturnCode   NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480fip **À)ÖÒ(ûÞÑ  «Ö& Fµ!0 €ÖÒ(ûÞÑ$Ð)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–} ü"ý–ðxä­{Úç É×hÿ^ÿÿRâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ProviderName Aÿÿ1 #= AlgorithmName Aÿÿ% =KeyName Aÿÿ% =KeyType Aÿÿ- = KeyFilePath Aÿÿ) = Operation Aÿÿ+ = ReturnCode   N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458;DCLÀ**P*ÖÒ(ûÞÑ  «Ö& FK!0Å €ÖÒ(ûÞÑ$Ð*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H+[ ’(ûÞÑ  «Ö& F?!0 €[ ’(ûÞÑ$Ð+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P,[ ’(ûÞÑ  «Ö& FK!0Å €[ ’(ûÞÑ$Ð,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H-ßC“(ûÞÑ  «Ö& F?!0 €ßC“(ûÞÑ$Ð-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458UH**P.ßC“(ûÞÑ  «Ö& FK!0Å €ßC“(ûÞÑ$Ð.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H/d|”(ûÞÑ  «Ö& F?!0 €d|”(ûÞÑ$Ð/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458SH**P0d|”(ûÞÑ  «Ö& FK!0Å €d|”(ûÞÑ$Ð0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H1ùÛ•(ûÞÑ  «Ö& F?!0 €ùÛ•(ûÞÑ$Ð1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P2ùÛ•(ûÞÑ  «Ö& FK!0Å €ùÛ•(ûÞÑ$Ð2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H3}—(ûÞÑ  «Ö& F?!0 €}—(ûÞÑ$Ð3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458\H**P4}—(ûÞÑ  «Ö& FK!0Å €}—(ûÞÑ$Ð4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H5t˜(ûÞÑ  «Ö& F?!0 €t˜(ûÞÑ$Ð5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458-H**P6t˜(ûÞÑ  «Ö& FK!0Å €t˜(ûÞÑ$Ð6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H7—¬™(ûÞÑ  «Ö& F?!0 €—¬™(ûÞÑ$Ð7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458uH**P8—¬™(ûÞÑ  «Ö& FK!0Å €—¬™(ûÞÑ$Ð8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H9Ï›(ûÞÑ  «Ö& F?!0 €Ï›(ûÞÑ$Ð9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P:Ï›(ûÞÑ  «Ö& FK!0Å €Ï›(ûÞÑ$Ð:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H;ˆ@ž(ûÞÑ  «Ö& F?!0 €ˆ@ž(ûÞÑ$Ð;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P<ˆ@ž(ûÞÑ  «Ö& FK!0Å €ˆ@ž(ûÞÑ$Ð<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H=Ã&¡(ûÞÑ  «Ö& F?!0 €Ã&¡(ûÞÑ$Ð=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458NH**P>ÔM¡(ûÞÑ  «Ö& FK!0Å €ÔM¡(ûÞÑ$Ð>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H?QФ(ûÞÑ  «Ö& F?!0 €QФ(ûÞÑ$Ð?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**P@QФ(ûÞÑ  «Ö& FK!0Å €QФ(ûÞÑ$Ð@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HAœÝ§(ûÞÑ  «Ö& F?!0 €œÝ§(ûÞÑ$ÐAMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458H**PB­¨(ûÞÑ  «Ö& FK!0Å €­¨(ûÞÑ$ÐBMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HC 9«(ûÞÑ  «Ö& F?!0 € 9«(ûÞÑ$ÐCMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458=H**PD*‡«(ûÞÑ  «Ö& FK!0Å €*‡«(ûÞÑ$ÐDMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HEv”®(ûÞÑ  «Ö& F?!0 €v”®(ûÞÑ$ÐEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458tH**PFv”®(ûÞÑ  «Ö& FK!0Å €v”®(ûÞÑ$ÐFMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HG°(ûÞÑ  «Ö& F?!0 €°(ûÞÑ$ÐGMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PH,B°(ûÞÑ  «Ö& FK!0Å €,B°(ûÞÑ$ÐHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HIâï±(ûÞÑ  «Ö& F?!0 €âï±(ûÞÑ$ÐIMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PJâï±(ûÞÑ  «Ö& FK!0Å €âï±(ûÞÑ$ÐJMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HKV³(ûÞÑ  «Ö& F?!0 €V³(ûÞÑ$ÐKMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PLV³(ûÞÑ  «Ö& FK!0Å €V³(ûÞÑ$ÐLMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HMë`´(ûÞÑ  «Ö& F?!0 €ë`´(ûÞÑ$ÐMMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PNë`´(ûÞÑ  «Ö& FK!0Å €ë`´(ûÞÑ$ÐNMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HOp™µ(ûÞÑ  «Ö& F?!0 €p™µ(ûÞÑ$ÐOMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PP€Àµ(ûÞÑ  «Ö& FK!0Å €€Àµ(ûÞÑ$ÐPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HQôѶ(ûÞÑ  «Ö& F?!0 €ôѶ(ûÞÑ$ÐQMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PRôѶ(ûÞÑ  «Ö& FK!0Å €ôѶ(ûÞÑ$ÐRMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HShã·(ûÞÑ  «Ö& F?!0 €hã·(ûÞÑ$ÐSMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PTy ¸(ûÞÑ  «Ö& FK!0Å €y ¸(ûÞÑ$ÐTMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HUþB¹(ûÞÑ  «Ö& F?!0 €þB¹(ûÞÑ$ÐUMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PVþB¹(ûÞÑ  «Ö& FK!0Å €þB¹(ûÞÑ$ÐVMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HWrTº(ûÞÑ  «Ö& F?!0 €rTº(ûÞÑ$ÐWMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PXrTº(ûÞÑ  «Ö& FK!0Å €rTº(ûÞÑ$ÐXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**HYöŒ»(ûÞÑ  «Ö& F?!0 €öŒ»(ûÞÑ$ÐYMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**PZöŒ»(ûÞÑ  «Ö& FK!0Å €öŒ»(ûÞÑ$ÐZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H[Zw¼(ûÞÑ  «Ö& F?!0 €Zw¼(ûÞÑ$Ð[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**P\jž¼(ûÞÑ  «Ö& FK!0Å €jž¼(ûÞÑ$Ð\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H]ïÖ½(ûÞÑ  «Ö& F?!0 €ïÖ½(ûÞÑ$Ð]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**P^ïÖ½(ûÞÑ  «Ö& FK!0Å €ïÖ½(ûÞÑ$Ð^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**H_cè¾(ûÞÑ  «Ö& F?!0 €cè¾(ûÞÑ$Ð_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**P`cè¾(ûÞÑ  «Ö& FK!0Å €cè¾(ûÞÑ$Ð`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**Ha×ù¿(ûÞÑ  «Ö& F?!0 €×ù¿(ûÞÑ$ÐaMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ü"ý–}  N Z ê WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage Provider%%2432IIS Express Development Certificate Container%%2499C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fad662b360941f26a1193357aab3c12d_a7b657c1-9d7a-4b7a-bf03-92c147b0e417%%2458iH**Pb×ù¿(ûÞÑ  «Ö& FK!0Å €×ù¿(ûÞÑ$ÐbMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ø‘>»  NZ  WIN-03DLIIOFRRA$WORKGROUPçMicrosoft Software Key Storage ProviderRSAIIS Express Development Certificate Container%%2499%%2480rP**cÕ±&üÞÑ  «Ö& F÷!5+ €Õ±&üÞÑ$4cMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b-±TØ®b¨ãb]Áh˺‘~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   0B>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Config.Msi\112221.rbf´S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)ôC:\Windows\System32\msiexec.exe**hd×l#&üÞÑ  «Ö& Fa!5+ €×l#&üÞÑ$4dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b-±  0B>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Config.Msi\112223.rbf´S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)ôC:\Windows\System32\msiexec.exeh**heàÝ%&üÞÑ  «Ö& Fa!5+ €àÝ%&üÞÑ$4eMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b-±  0B>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Config.Msi\112224.rbfD S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)ôC:\Windows\System32\msiexec.exeh**fþýgüÞÑ  «Ö& F!1 €þýgüÞÑ$l fMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýºï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--**àgþýgüÞÑ  «Ö& FÕ!1@ €þýgüÞÑ$l gMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Âýº®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeà**phÕFhüÞÑ  «Ö& Fk!1 €ÕFhüÞÑ$l hMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆiÕFhüÞÑ  «Ö& Fƒ!1@ €ÕFhüÞÑ$l iMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**Ðj–ÝnüÞÑ  «Ö& FÅ!5( €–ÝnüÞÑ$ jMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ ëYã™O“Oªß®@ÚÿÿÎâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ5 '=AuditSourceName Aÿÿ1 #= EventSourceId Aÿÿ) = ProcessId Aÿÿ- = ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit)ƈC:\Windows\System32\VSSVC.exeÐ**Øk–ÝnüÞÑ  «Ö& FÓ!5) €–ÝnüÞÑ$ kMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAudit)ƈC:\Windows\System32\VSSVC.exeØ**plB>êýÞÑ  «Ö& Fk!1 €B>êýÞÑ$ lMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆmB>êýÞÑ  «Ö& Fƒ!1@ €B>êýÞÑ$ mMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pnå„L%þÞÑ  «Ö& Fk!1 €å„L%þÞÑ$ nMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆoå„L%þÞÑ  «Ö& Fƒ!1@ €å„L%þÞÑ$ oMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ppsde%þÞÑ  «Ö& Fk!1 €sde%þÞÑ$ pMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆqsde%þÞÑ  «Ö& Fƒ!1@ €sde%þÞÑ$ qMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØrÌW)þÞÑ  «Ö& FÓ!5( €ÌW)þÞÑ$rMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÑÇ`tC:\Windows\System32\VSSVC.exeØ**ØsÌW)þÞÑ  «Ö& FÓ!5) €ÌW)þÞÑ$sMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÑÇ`tC:\Windows\System32\VSSVC.exeØ**pt-× ÒþÞÑ  «Ö& Fk!1 €-× ÒþÞÑ$ÜtMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆu-× ÒþÞÑ  «Ö& Fƒ!1@ €-× ÒþÞÑ$ÜuMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ØvóJZÖþÞÑ  «Ö& FÓ!5( €óJZÖþÞÑ$vMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÙd”@C:\Windows\System32\VSSVC.exeØ**ØwóJZÖþÞÑ  «Ö& FÓ!5) €óJZÖþÞÑ$wMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÙd”@C:\Windows\System32\VSSVC.exeØ**px*‡jßÑ  «Ö& Fk!1 €*‡jßÑ$xMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆy*‡jßÑ  «Ö& Fƒ!1@ €*‡jßÑ$yMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pzÏC3jßÑ  «Ö& Fk!1 €ÏC3jßÑ$ zMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁýº    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ{ÏC3jßÑ  «Ö& Fƒ!1@ €ÏC3jßÑ$ {Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Â  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**Ø|8’OnßÑ  «Ö& FÓ!5( €8’OnßÑ$t|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditPq °C:\Windows\System32\VSSVC.exeØ  «Ö& F5) €8’OnßÑ$t}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÝÌ  WIN-03DLIIOFRRA$WORKGROUPçElfChnk}×}×€ðúpýœt«ÎÑ^Ì âóè =Î÷²›f?øm©MFº&mu-í*»**¨}8’OnßÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! Fó!5) €8’OnßÑ$t}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY» ëYã™O“Oªß®@ÿÿüâD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ5 '=AuditSourceName Aÿÿ1 #= EventSourceId Aÿÿ) = ProcessId Aÿÿ- = ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditPq °C:\Windows\System32\VSSVC.execr¨**Ø~u¥Ë¡ßÑ  «Ö& FÓ!5( €u¥Ë¡ßÑ$„ ~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY»  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÚ"°C:\Windows\System32\VSSVC.exeØ**Øu¥Ë¡ßÑ  «Ö& FÓ!5) €u¥Ë¡ßÑ$„ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY»  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÚ"°C:\Windows\System32\VSSVC.exeeØ**€R ëÕßÑ  «Ö& F!1 €R ëÕßÑ$€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁeï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--**àR ëÕßÑ  «Ö& FÕ!1@ €R ëÕßÑ$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«me®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeà**p‚¢ª¤ÏßÑ  «Ö& Fk!1 €¢ª¤ÏßÑ$ ‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁe    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆƒ¢ª¤ÏßÑ  «Ö& Fƒ!1@ €¢ª¤ÏßÑ$ ƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«m  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p„#0®ÏßÑ  «Ö& Fk!1 €#0®ÏßÑ$„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁe    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ…#0®ÏßÑ  «Ö& Fƒ!1@ €#0®ÏßÑ$…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«m  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**؆¿;ÉÒßÑ  «Ö& FÓ!5( €¿;ÉÒßÑ$ †Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY»  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditðÄhC:\Windows\System32\VSSVC.exeØ**؇¿;ÉÒßÑ  «Ö& FÓ!5) €¿;ÉÒßÑ$ ‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY»  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditðÄhC:\Windows\System32\VSSVC.exeØ**ˆˆ ù’¦ßÑ  «Ö& F!1' € ù’¦ßÑ$ˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Ní*-{NŽ¯EßÄ•34èɦúÿÿîâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¨ˆ**H‰êJ“¦ßÑ  «Ö& FA!5+ €êJ“¦ßÑ$4‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-TØ®b¨ãb]Áh˺‘~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\webengine.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeH**°ŠêJ“¦ßÑ  «Ö& F«!5+ €êJ“¦ßÑ$4ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**¸‹êJ“¦ßÑ  «Ö& F­!5+ €êJ“¦ßÑ$4‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸ŒêJ“¦ßÑ  «Ö& F¯!5+ €êJ“¦ßÑ$4ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Data.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸JcL“¦ßÑ  «Ö& F¯!5+ €JcL“¦ßÑ$4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\webengine.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸ŽJcL“¦ßÑ  «Ö& F¯!5+ €JcL“¦ßÑ$4ŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸JcL“¦ßÑ  «Ö& F±!5+ €JcL“¦ßÑ$4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  |F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Web.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸JcL“¦ßÑ  «Ö& F³!5+ €JcL“¦ßÑ$4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Data.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**x‘ªÄN“¦ßÑ  «Ö& Fm!5+ €ªÄN“¦ßÑ$4‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  8F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\smss.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**x’ &Q“¦ßÑ  «Ö& Fq!5+ € &Q“¦ßÑ$4’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\csrsrv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**x“ &Q“¦ßÑ  «Ö& Fo!5+ € &Q“¦ßÑ$4“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\ntdll.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**€” &Q“¦ßÑ  «Ö& Fu!5+ € &Q“¦ßÑ$4”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\ntoskrnl.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**ˆ• &Q“¦ßÑ  «Ö& F}!5+ € &Q“¦ßÑ$4•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\apisetschema.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeˆ**x–k‡S“¦ßÑ  «Ö& Fo!5+ €k‡S“¦ßÑ$4–Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\ntdll.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**€—k‡S“¦ßÑ  «Ö& Fu!5+ €k‡S“¦ßÑ$4—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\ntoskrnl.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**€˜k‡S“¦ßÑ  «Ö& Fu!5+ €k‡S“¦ßÑ$4˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\ntkrnlpa.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**x™ËèU“¦ßÑ  «Ö& Fs!5+ €ËèU“¦ßÑ$4™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\AppPatch\acwow64.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**pšËèU“¦ßÑ  «Ö& Fk!5+ €ËèU“¦ßÑ$4šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  6F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\tdh.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exep**¨›+JX“¦ßÑ  «Ö& F!5+ €+JX“¦ßÑ$4›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  hF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-debug-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨** œ+JX“¦ßÑ  «Ö& F›!5+ €+JX“¦ßÑ$4œMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-misc-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **°+JX“¦ßÑ  «Ö& F¥!5+ €+JX“¦ßÑ$4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  pF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°** ž+JX“¦ßÑ  «Ö& F›!5+ €+JX“¦ßÑ$4žMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-heap-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **xŸ+JX“¦ßÑ  «Ö& Fo!5+ €+JX“¦ßÑ$4ŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wow64.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**€ Œ«Z“¦ßÑ  «Ö& Fu!5+ €Œ«Z“¦ßÑ$4 Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wow64cpu.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**¨¡Œ«Z“¦ßÑ  «Ö& FŸ!5+ €Œ«Z“¦ßÑ$4¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-handle-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¸¢Œ«Z“¦ßÑ  «Ö& F­!5+ €Œ«Z“¦ßÑ$4¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¨£Œ«Z“¦ßÑ  «Ö& F£!5+ €Œ«Z“¦ßÑ$4£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**°¤Œ«Z“¦ßÑ  «Ö& F«!5+ €Œ«Z“¦ßÑ$4¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-localization-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**¨¥ì ]“¦ßÑ  «Ö& F¡!5+ €ì ]“¦ßÑ$4¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-profile-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**°¦ì ]“¦ßÑ  «Ö& F©!5+ €ì ]“¦ßÑ$4¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  tF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**°§ì ]“¦ßÑ  «Ö& F§!5+ €ì ]“¦ßÑ$4§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**x¨ì ]“¦ßÑ  «Ö& Fs!5+ €ì ]“¦ßÑ$4¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\ntvdm64.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex** ©Ln_“¦ßÑ  «Ö& F›!5+ €Ln_“¦ßÑ$4©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-util-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **¸ªLn_“¦ßÑ  «Ö& F­!5+ €Ln_“¦ßÑ$4ªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸«Ln_“¦ßÑ  «Ö& F­!5+ €Ln_“¦ßÑ$4«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¨¬Ln_“¦ßÑ  «Ö& FŸ!5+ €Ln_“¦ßÑ$4¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¨­­Ïa“¦ßÑ  «Ö& FŸ!5+ €­Ïa“¦ßÑ$4­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨** ®­Ïa“¦ßÑ  «Ö& F›!5+ €­Ïa“¦ßÑ$4®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-file-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **x¯ 1d“¦ßÑ  «Ö& Fs!5+ € 1d“¦ßÑ$4¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\conhost.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**¨° 1d“¦ßÑ  «Ö& F!5+ € 1d“¦ßÑ$4°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  hF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-synch-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**€± 1d“¦ßÑ  «Ö& Fu!5+ € 1d“¦ßÑ$4±Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\advapi32.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**¸² 1d“¦ßÑ  «Ö& F¯!5+ € 1d“¦ßÑ$4²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**À³m’f“¦ßÑ  «Ö& F·!5+ €m’f“¦ßÑ$4³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeÀ**€´m’f“¦ßÑ  «Ö& Fu!5+ €m’f“¦ßÑ$4´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wow64win.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€** µm’f“¦ßÑ  «Ö& F—!5+ €m’f“¦ßÑ$4µMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  bF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-io-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **€¶m’f“¦ßÑ  «Ö& Fu!5+ €m’f“¦ßÑ$4¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\kernel32.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**€·m’f“¦ßÑ  «Ö& Fy!5+ €m’f“¦ßÑ$4·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\KernelBase.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€**¨¸Íóh“¦ßÑ  «Ö& F¡!5+ €Íóh“¦ßÑ$4¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¨¹Íóh“¦ßÑ  «Ö& FŸ!5+ €Íóh“¦ßÑ$4¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-memory-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¨ºÍóh“¦ßÑ  «Ö& F¡!5+ €Íóh“¦ßÑ$4ºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-console-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¨»Íóh“¦ßÑ  «Ö& FŸ!5+ €Íóh“¦ßÑ$4»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-string-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**x¼Íóh“¦ßÑ  «Ö& Fq!5+ €Íóh“¦ßÑ$4¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winsrv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**°½.Uk“¦ßÑ  «Ö& F¥!5+ €.Uk“¦ßÑ$4½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  pF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**¨¾.Uk“¦ßÑ  «Ö& F£!5+ €.Uk“¦ßÑ$4¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-security-base-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**°¿.Uk“¦ßÑ  «Ö& F§!5+ €.Uk“¦ßÑ$4¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**xÀ.Uk“¦ßÑ  «Ö& Fq!5+ €.Uk“¦ßÑ$4ÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\instnm.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**pÁ.Uk“¦ßÑ  «Ö& Fk!5+ €.Uk“¦ßÑ$4ÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  6F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\tdh.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exep**¨ÂŽ¶m“¦ßÑ  «Ö& F!5+ €Ž¶m“¦ßÑ$4ÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  hF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨** ÃŽ¶m“¦ßÑ  «Ö& F›!5+ €Ž¶m“¦ßÑ$4ÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **°ÄŽ¶m“¦ßÑ  «Ö& F¥!5+ €Ž¶m“¦ßÑ$4ÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  pF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°** ÅŽ¶m“¦ßÑ  «Ö& F›!5+ €Ž¶m“¦ßÑ$4ÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **xÆîp“¦ßÑ  «Ö& Fm!5+ €îp“¦ßÑ$4ÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  8F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\user.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**¨Çîp“¦ßÑ  «Ö& FŸ!5+ €îp“¦ßÑ$4ÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¸Èîp“¦ßÑ  «Ö& F­!5+ €îp“¦ßÑ$4ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¨Éîp“¦ßÑ  «Ö& F£!5+ €îp“¦ßÑ$4ÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**°Êîp“¦ßÑ  «Ö& F«!5+ €îp“¦ßÑ$4ÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**¨ËNyr“¦ßÑ  «Ö& F¡!5+ €Nyr“¦ßÑ$4ËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**°ÌNyr“¦ßÑ  «Ö& F©!5+ €Nyr“¦ßÑ$4ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  tF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**°ÍNyr“¦ßÑ  «Ö& F§!5+ €Nyr“¦ßÑ$4ÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**xÎNyr“¦ßÑ  «Ö& Fs!5+ €Nyr“¦ßÑ$4ÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\ntvdm64.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex** Ï¯Út“¦ßÑ  «Ö& F›!5+ €¯Út“¦ßÑ$4ÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **¸Ð¯Út“¦ßÑ  «Ö& F­!5+ €¯Út“¦ßÑ$4ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¸Ñ¯Út“¦ßÑ  «Ö& F­!5+ €¯Út“¦ßÑ$4ÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  xF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¸**¨Ò¯Út“¦ßÑ  «Ö& FŸ!5+ €¯Út“¦ßÑ$4ÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**¨Ó¯Út“¦ßÑ  «Ö& FŸ!5+ €¯Út“¦ßÑ$4ÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®bu-  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨** Ô;(à Security TØ®bu-  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe **xÕ;(à Security TØ®bu-  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wow32.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**¨Ö;(à Security TØ®bu-  hF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**€×;(à Security TØ®bu-  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\advapi32.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe€  «Ö& F5+ €;(à Security TØ®bu-  zFWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸ElfChnkØ/Ø/€Hýhÿ¯bÁØYéãTâóè =t/Î÷²›fC/?øq.©MFºÎ+&Ó8#AÕ¡/»£éem-}²**( Ø;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeSS( **ÀÙoy“¦ßÑ  «Ö& F·!5+ €oy“¦ßÑ$4ÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe$À** Úoy“¦ßÑ  «Ö& F—!5+ €oy“¦ßÑ$4ÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  bF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeogo **€Ûoy“¦ßÑ  «Ö& Fy!5+ €oy“¦ßÑ$4ÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\KernelBase.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe €**€ÜÐþ{“¦ßÑ  «Ö& Fu!5+ €Ðþ{“¦ßÑ$4ÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\kernel32.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exež:€**¨ÝÐþ{“¦ßÑ  «Ö& F¡!5+ €Ðþ{“¦ßÑ$4ÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeri¨**¨ÞÐþ{“¦ßÑ  «Ö& FŸ!5+ €Ðþ{“¦ßÑ$4ÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeORK¨**¨ßÐþ{“¦ßÑ  «Ö& F¡!5+ €Ðþ{“¦ßÑ$4ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeeS¨**¨à0`~“¦ßÑ  «Ö& FŸ!5+ €0`~“¦ßÑ$4àMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  jF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¥º>;¨**°á0`~“¦ßÑ  «Ö& F¥!5+ €0`~“¦ßÑ$4áMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  pF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe°**xâ0`~“¦ßÑ  «Ö& Fs!5+ €0`~“¦ßÑ$4âMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\setup16.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exex**¨ã0`~“¦ßÑ  «Ö& F£!5+ €0`~“¦ßÑ$4ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exe¨**°äÁ€“¦ßÑ  «Ö& F§!5+ €Á€“¦ßÑ$4äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¸C:\Windows\System32\poqexec.exeTar°**àådhG•¦ßÑ ê@SÎ+ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $q.m5DUserData! u!gL @dhG•¦ßÑDÌå T3[/T3[ÓˆY}É*ë•ÄlJAÿÿ>C/«'ServiceShutdown Ft/Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**0æ!&•¦ßÑ  «Ö& F!1 €!&•¦ßÑ`Þç$ˆæMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1ï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Mi0**ðç!&•¦ßÑ  «Ö& F×!1@ €!&•¦ßÑ`Þç$ˆçMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8£1®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeð**Pè xæßÑ  «Ö& F9!0 € xæßÑ â®øüèMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÃ=Ý&ÎîË|Ö Žp)·cîÿÿâ$P**é xæßÑ  «Ö& Fõ!1 € xæßÑ â®øüéMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  --SYSTEMNT AUTHORITYç-------ecu**Èê ‹Ã¦ßÑ  «Ö& F¯!5& € ‹Ã¦ßÑ â®ø0êMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ#AºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId MÈysÈ**˜ëäPaĦßÑ  «Ö& F!1 €äPaĦßÑ â®øëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--)¸˜** ìäPaĦßÑ  «Ö& F…!1@ €äPaĦßÑ â®øìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegetin **¨ígá}ĦßÑ  «Ö& F‘!1 €gá}ĦßÑ â®øíMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ØC:\Windows\System32\services.exe--¨**(îgá}ĦßÑ  «Ö& F !1@ €gá}ĦßÑ â®øîMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegews-(**¨ïèf‡Ä¦ßÑ  «Ö& F!1 €èf‡Ä¦ßÑ â®øïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ØC:\Windows\System32\services.exe--%–„Tx¨** ðèf‡Ä¦ßÑ  «Ö& F !1@ €èf‡Ä¦ßÑ â®øðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ñiìĦßÑ  «Ö& F!1 €iìĦßÑ â®øñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--Mi˜** òiìĦßÑ  «Ö& F…!1@ €iìĦßÑ â®øòMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeysW **˜óÊM“ĦßÑ  «Ö& F!1 €ÊM“ĦßÑ â®øóMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--64˜** ôÊM“ĦßÑ  «Ö& F…!1@ €ÊM“ĦßÑ â®øôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege$ **˜õø³ ŦßÑ  «Ö& F!1 €ø³ ŦßÑ â®øõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--˜** öø³ ŦßÑ  «Ö& F…!1@ €ø³ ŦßÑ â®øöMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeROU **p÷|§ùƦßÑ  «Ö& Fk!1 €|§ùƦßÑø÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆø|§ùƦßÑ  «Ö& Fƒ!1@ €|§ùƦßÑøøMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeDˆ**ùIǦßÑ  «Ö& F!1 €IǦßÑøDùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  --ANONYMOUS LOGONNT AUTHORITYÏiNtLmSsp NTLM-NTLM V1---2**Øú[&ǦßÑ  «Ö& FÓ!0 €[&ǦßÑ@úMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…em ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != PreviousTime Aÿÿ% =NewTime Aÿÿ) = ProcessId Aÿÿ- = ProcessName   bWIN-03DLIIOFRRA$WORKGROUPç)ÍWǦßÑp4&ǦßÑèC:\Program Files\VMware\VMware Tools\vmtoolsd.exeØ**pûÙZǦßÑ  «Ö& Fk!1 €ÙZǦßÑøDûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆüÙZǦßÑ  «Ö& Fƒ!1@ €ÙZǦßÑøDüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pýnFfȦßÑ  «Ö& Fk!1 €nFfȦßÑø(ýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--yp**ˆþnFfȦßÑ  «Ö& Fƒ!1@ €nFfȦßÑø(þMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegedˆ**ˆÿô„Ó¦ßÑ  «Ö& Fƒ!1( €ô„Ó¦ßÑø(ÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk-}Ã=`/skbðhP3å'vÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ) = LogonGuid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ5 '=TargetLogonGuid Aÿÿ7 )=TargetServerName Aÿÿ+ = TargetInfo Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostÈC:\Windows\System32\winlogon.exe127.0.0.104ˆ**°ô„Ó¦ßÑ  «Ö& F©!1 €ô„Ó¦ßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA User32 NegotiateWIN-03DLIIOFRRA--ÈC:\Windows\System32\winlogon.exe127.0.0.10°**°ô„Ó¦ßÑ  «Ö& F©!1 €ô„Ó¦ßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA» User32 NegotiateWIN-03DLIIOFRRA--ÈC:\Windows\System32\winlogon.exe127.0.0.10°**ô„Ó¦ßÑ  «Ö& F!1@ €ô„Ó¦ßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**p­t“Ú¦ßÑ  «Ö& Fk!1 €­t“Ú¦ßÑø¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--;p**ˆ­t“Ú¦ßÑ  «Ö& Fƒ!1@ €­t“Ú¦ßÑø¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p`êô*§ßÑ  «Ö& Fk!1 €`êô*§ßÑø,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆ`êô*§ßÑ  «Ö& Fƒ!1@ €`êô*§ßÑø,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`u+mT¯ßÑ  «Ö& FW!1( €u+mT¯ßÑølMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk-}  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostÈC:\Windows\System32\winlogon.exe127.0.0.10Sec`**°u+mT¯ßÑ  «Ö& F©!1 €u+mT¯ßÑølMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¬¡User32 NegotiateWIN-03DLIIOFRRA--ÈC:\Windows\System32\winlogon.exe127.0.0.10°**° u+mT¯ßÑ  «Ö& F©!1 €u+mT¯ßÑøl Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAº¡User32 NegotiateWIN-03DLIIOFRRA--ÈC:\Windows\System32\winlogon.exe127.0.0.10°** u+mT¯ßÑ  «Ö& F!1@ €u+mT¯ßÑøl Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¬¡SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeOF**À ÕŒoT¯ßÑ  «Ö& F·!1 €ÕŒoT¯ßÑøl Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjÕ¡˜gèjn‡-P‹ÿv‘‹*ÿÿâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAº¡C:\À**€ ÕŒoT¯ßÑ  «Ö& Fu!1 €ÕŒoT¯ßÑøl Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjÕ¡ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¬¡ €m’f“€**p ϲ޵ßÑ  «Ö& Fk!1 €Ï²ÞµßÑø< Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆÏ²ÞµßÑ  «Ö& Fƒ!1@ €Ï²ÞµßÑø< Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeUˆ**pð&¹ÞµßÑ  «Ö& Fk!1 €ð&¹ÞµßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆð&¹ÞµßÑ  «Ö& Fƒ!1@ €ð&¹ÞµßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeUˆ**ÐÐ ãµßÑ  «Ö& FÅ!5( €Ð ãµßÑøHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY² ëYã™O“Oªß®@ÚÿÿÎâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ5 '=AuditSourceName Aÿÿ1 #= EventSourceId Aÿÿ) = ProcessId Aÿÿ- = ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditPEêC:\Windows\System32\VSSVC.execrosÐ**ØÐ ãµßÑ  «Ö& FÓ!5) €Ð ãµßÑøHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY²  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditPEêC:\Windows\System32\VSSVC.exeØ**ptÃãëµßÑ  «Ö& Fk!1 €tÃãëµßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--op**ˆtÃãëµßÑ  «Ö& Fƒ!1@ €tÃãëµßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegesˆ**p ãn°ßßÑ  «Ö& Fk!1 € ãn°ßßÑøè Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆ ãn°ßßÑ  «Ö& Fƒ!1@ € ãn°ßßÑøè Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeKˆ**pAv°ßßÑ  «Ö& Fk!1 €Av°ßßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--Kp**ˆAv°ßßÑ  «Ö& Fƒ!1@ €Av°ßßÑø(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege¸ˆ**pl“á12àÑ  «Ö& Fk!1 €l“á12àÑø| Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--(p**ˆl“á12àÑ  «Ö& Fƒ!1@ €l“á12àÑø| Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pŒÖò42àÑ  «Ö& Fk!1 €ŒÖò42àÑø| Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆŒÖò42àÑ  «Ö& Fƒ!1@ €ŒÖò42àÑø| Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÉwú42àÑ  «Ö& Fk!1 €Éwú42àÑø4 Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--p**ˆÉwú42àÑ  «Ö& Fƒ!1@ €Éwú42àÑø4 Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeiˆ**Ø4’ù72àÑ  «Ö& FÓ!5( €4’ù72àÑø Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY²  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditœs©ÔC:\Windows\System32\VSSVC.execØ**Ø 4’ù72àÑ  «Ö& FÓ!5) €4’ù72àÑø Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY²  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditœs©ÔC:\Windows\System32\VSSVC.exeØ**p!ŠT´2àÑ  «Ö& Fk!1 €ŠT´2àÑød!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ØC:\Windows\System32\services.exe--op**ˆ"ŠT´2àÑ  «Ö& Fƒ!1@ €ŠT´2àÑød"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege-ˆ**Ø#‹w…·2àÑ  «Ö& FÓ!5( €‹w…·2àÑøÐ#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY²  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditΑ²4C:\Windows\System32\VSSVC.exeØ**Ø$‹w…·2àÑ  «Ö& FÓ!5) €‹w…·2àÑøÐ$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëY²  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditΑ²4C:\Windows\System32\VSSVC.exe1Ø**À%‰ZtO3àÑ ê@SÎ+ !gL @‰ZtO3àÑ,P% T3[/¯Út“À**˜&@ñ,O3àÑ  «Ö& F!1' €@ñ,O3àÑà­ø(&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N£é-{NŽ¯EßÄ•34èɦúÿÿîâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA» e˜**('¾~{x3àÑ  «Ö& F!0 €¾~{x3àÑðÞ¨'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîÃ=(**(¾~{x3àÑ  «Ö& Fõ!1 €¾~{x3àÑðÞ¨(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1  --SYSTEMNT AUTHORITYç-------!**@)A˜x3àÑ  «Ö& F#!5& €A˜x3àÑðÞ¨T)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ#A‚Èows\@**˜*݆y3àÑ  «Ö& F!1 €Ý†y3àÑðÞ¨L*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--:\˜** +݆y3àÑ  «Ö& F…!1@ €Ý†y3àÑðÞ¨L+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegee **¨,À ¥y3àÑ  «Ö& F‘!1 €À ¥y3àÑðÞ¨L,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--¨**(-À ¥y3àÑ  «Ö& F !1@ €À ¥y3àÑðÞ¨L-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeWD)(**¨.á.¬y3àÑ  «Ö& F!1 €á.¬y3àÑðÞ¨d.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ£1 " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--ste¨** /á.¬y3àÑ  «Ö& F !1@ €á.¬y3àÑðÞ¨d/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«Ó8 œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivileges reads-l1-1-0  «Ö& F¸ElfChnk0†0†€øþ¸ÿ Äu?öÆvðóè=dhÎ÷²›f3h?øag©MFº¾d&#‹p h“j-ü+mý_** 0S³y3àÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! FC!1 €S³y3àÑðÞ¨L0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉï:ÚÁ¹öǬr›fË8(¬ÿÿ ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--- **ð1S³y3àÑ  «Ö& F×!1@ €S³y3àÑðÞ¨L1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#É®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeA$ð**˜2b´µy3àÑ  «Ö& F!1 €b´µy3àÑðÞ¨d2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** 3b´µy3àÑ  «Ö& F…!1@ €b´µy3àÑðÞ¨d3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeri **p4‘ác{3àÑ  «Ö& Fk!1 €‘ác{3àÑL4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--dp**ˆ5‘ác{3àÑ  «Ö& Fƒ!1@ €‘ác{3àÑL5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegesˆ**6™T¹{3àÑ  «Ö& F!1 €™T¹{3àÑL6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --ANONYMOUS LOGONNT AUTHORITYmNtLmSsp NTLM-NTLM V1---“**p7¤bý{3àÑ  «Ö& Fk!1 €¤bý{3àÑd7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ep**ˆ8¤bý{3àÑ  «Ö& Fƒ!1@ €¤bý{3àÑd8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegexˆ**p9ì}3àÑ  «Ö& Fk!1 €ì}3àÑ@9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe---p**ˆ:ì}3àÑ  «Ö& Fƒ!1@ €ì}3àÑ@:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege›ˆ**ˆ;Œƒ‰3àÑ  «Ö& Fƒ!1( €Œƒ‰3àÑP;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk=.`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10dˆ**°<Œƒ‰3àÑ  «Ö& F©!1 €Œƒ‰3àÑP<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAK0User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Ke°**°=Œƒ‰3àÑ  «Ö& F©!1 €Œƒ‰3àÑP=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA0User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10°**>Œƒ‰3àÑ  «Ö& F!1@ €Œƒ‰3àÑP>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAK0SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeak**p?.ƒ`3àÑ  «Ö& Fk!1 €.ƒ`3àÑ@?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--up**ˆ@.ƒ`3àÑ  «Ö& Fƒ!1@ €.ƒ`3àÑ@@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeiˆ**pAOQeô4àÑ  «Ö& Fk!1 €OQeô4àÑ”AMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆBOQeô4àÑ  «Ö& Fƒ!1@ €OQeô4àÑ”BMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pCjùï36àÑ  «Ö& Fk!1 €jùï36àш CMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆDjùï36àÑ  «Ö& Fƒ!1@ €jùï36àш DMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pEäAÌ7àÑ  «Ö& Fk!1 €äAÌ7àÑ@EMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆFäAÌ7àÑ  «Ö& Fƒ!1@ €äAÌ7àÑ@FMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pG{r#7àÑ  «Ö& Fk!1 €{r#7àÑ@GMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆH{r#7àÑ  «Ö& Fƒ!1@ €{r#7àÑ@HMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pIÑ«-7àÑ  «Ö& Fk!1 €Ñ«-7àÑ@IMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆJÑ«-7àÑ  «Ö& Fƒ!1@ €Ñ«-7àÑ@JMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ÐKŽH) 7àÑ  «Ö& FÅ!5( €ŽH) 7àÑp KMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYý_ ëYã™O“Oªß®@ÚÿÿÎðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ5'=AuditSourceName Aÿÿ1#= EventSourceId Aÿÿ)= ProcessId Aÿÿ-= ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÁÕ\HC:\Windows\System32\VSSVC.exeÐ**ØLŽH) 7àÑ  «Ö& FÓ!5) €ŽH) 7àÑp LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYý_  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÁÕ\HC:\Windows\System32\VSSVC.exeØ**àM—¾a|7àÑ ê@S¾dê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $agm5DUserData! u!gL @—¾a|7àÑL°M T3[ hT3[ÓˆY}É*ë•ÄlJAÿÿ>3h«'ServiceShutdown FdhNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜N(|7àÑ  «Ö& F!1' €(|7àÑ\RegìNMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N“j-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA0˜**PO|W:‰7àÑ  «Ö& F9!0 €|W:‰7àÑPã° $OMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî+m=.Ý&ÎîË|Ö Žp)·cîÿÿðP**Pݸ<‰7àÑ  «Ö& Fõ!1 €Ý¸<‰7àÑPã° $PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------**ÈQbM‰7àÑ  «Ö& F¯!5& €bM‰7àÑPã° TQMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ‹pºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId ÊÁÈ**˜RVŠ7àÑ  «Ö& F!1 €VŠ7àÑPã° hRMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** SVŠ7àÑ  «Ö& F…!1@ €VŠ7àÑPã° hSMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨TØ#-Š7àÑ  «Ö& F‘!1 €Ø#-Š7àÑPã° hTMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--øC:\Windows\System32\services.exe--¨**(UØ#-Š7àÑ  «Ö& F !1@ €Ø#-Š7àÑPã° hUMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨V™æ1Š7àÑ  «Ö& F!1 €™æ1Š7àÑPã° PVMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--øC:\Windows\System32\services.exe--¨** W™æ1Š7àÑ  «Ö& F !1@ €™æ1Š7àÑPã° PWMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜Xº 9Š7àÑ  «Ö& F!1 €º 9Š7àÑPã° DXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** Yº 9Š7àÑ  «Ö& F…!1@ €º 9Š7àÑPã° DYMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜Zl;Š7àÑ  «Ö& F!1 €l;Š7àÑPã° DZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** [l;Š7àÑ  «Ö& F…!1@ €l;Š7àÑPã° D[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜\-gY‹7àÑ  «Ö& F!1 €-gY‹7àÑ\Reg d\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ]-gY‹7àÑ  «Ö& F…!1@ €-gY‹7àÑ\Reg d]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **^t²¥‹7àÑ  «Ö& F!1 €t²¥‹7àÑ d^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --ANONYMOUS LOGONNT AUTHORITYËeNtLmSsp NTLM-NTLM V1---**p_wQÊ‹7àÑ  «Ö& Fk!1 €wQÊ‹7àÑ h_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆ`wQÊ‹7àÑ  «Ö& Fƒ!1@ €wQÊ‹7àÑ h`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**paDTÎŒ7àÑ  «Ö& Fk!1 €DTÎŒ7àÑ daMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆbDTÎŒ7àÑ  «Ö& Fƒ!1@ €DTÎŒ7àÑ dbMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pca®ïÓ7àÑ  «Ö& Fk!1 €a®ïÓ7àÑ PcMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆda®ïÓ7àÑ  «Ö& Fƒ!1@ €a®ïÓ7àÑ PdMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`e8Ý)9àÑ  «Ö& FW!1( €8Ý)9àÑ ÔeMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk=.  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostèC:\Windows\System32\winlogon.exe127.0.0.10`**°f8Ý)9àÑ  «Ö& F©!1 €8Ý)9àÑ ÔfMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAŠ< User32 NegotiateWIN-03DLIIOFRRA--èC:\Windows\System32\winlogon.exe127.0.0.10°**°g8Ý)9àÑ  «Ö& F©!1 €8Ý)9àÑ ÔgMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÂ< User32 NegotiateWIN-03DLIIOFRRA--èC:\Windows\System32\winlogon.exe127.0.0.10°**h8Ý)9àÑ  «Ö& F!1@ €8Ý)9àÑ ÔhMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAŠ< SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**ÀiÏU1^9àÑ ê@S¾d !gL @ÏU1^9àÑP”i T3[ hÀ**ˆjª^9àÑ  «Ö& Fm!1' €ª^9àÑ\Reg ¸ jMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{N“j  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÂ< ˆ**(kîpk9àÑ  «Ö& F!0 €îpk9àÑ Ý£ kMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî+m(**lîpk9àÑ  «Ö& Fõ!1 €îpk9àÑ Ý£ lMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------**@m¾€k9àÑ  «Ö& F#!5& €¾€k9àÑ Ý£\mMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ‹pÂË@**˜nQ…k9àÑ  «Ö& F!1 €Q…k9àÑ Ý£DnMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** oQ…k9àÑ  «Ö& F…!1@ €Q…k9àÑ Ý£DoMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨p4s¤k9àÑ  «Ö& F‘!1 €4s¤k9àÑ Ý£DpMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--¨**(q4s¤k9àÑ  «Ö& F !1@ €4s¤k9àÑ Ý£DqMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨rU—«k9àÑ  «Ö& F!1 €U—«k9àÑ Ý£xrMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--¨** sU—«k9àÑ  «Ö& F !1@ €U—«k9àÑ Ý£xsMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜t—ß¹k9àÑ  «Ö& F!1 €—ß¹k9àÑ Ý£xtMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** u—ß¹k9àÑ  «Ö& F…!1@ €—ß¹k9àÑ Ý£xuMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜v÷@¼k9àÑ  «Ö& F!1 €÷@¼k9àÑ Ý£xvMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** w÷@¼k9àÑ  «Ö& F…!1@ €÷@¼k9àÑ Ý£xwMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜xÛDÅl9àÑ  «Ö& F!1 €ÛDÅl9àÑ\RegHxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** yÛDÅl9àÑ  «Ö& F…!1@ €ÛDÅl9àÑ\RegHyMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@zÃKm9àÑ  «Ö& F'!1 €ÃKm9àÑ\RegxzMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITY˜VNtLmSsp NTLM-NTLM V1---@**˜{‘Š9m9àÑ  «Ö& F!1 €‘Š9m9àÑ\Regx{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** |‘Š9m9àÑ  «Ö& F…!1@ €‘Š9m9àÑ\Regx|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜}³+n9àÑ  «Ö& F!1 €³+n9àÑ\RegH}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜** ~³+n9àÑ  «Ö& F…!1@ €³+n9àÑ\RegH~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **`pccp9àÑ  «Ö& FW!1( €pccp9àÑHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk=.  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10`**°€pccp9àÑ  «Ö& F©!1 €pccp9àÑH€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAV€User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10°**°pccp9àÑ  «Ö& F©!1 €pccp9àÑHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA„€User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10°**‚pccp9àÑ  «Ö& F!1@ €pccp9àÑH‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAV€SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**pƒ|,êt9àÑ  «Ö& Fk!1 €|,êt9àÑPƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆ„|,êt9àÑ  «Ö& Fƒ!1@ €|,êt9àÑP„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**Ø…"!µ‰XàÑ  «Ö& FÓ!0 €"!µ‰XàÑ8…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…-ü ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName   bWIN-03DLIIOFRRA$WORKGROUPç/:íw<àÑ ¢‰XàÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeØ**À†OQ;”XàÑ ê@S¾d !gL @OQ;”XàÑXt † T3[ hÀElfChnk‡Ý‡Ý€(üÈÿW¢aVŽjÈšðóè=Ä×Î÷²›f“×?øÁÖ©MFºÔ&ë‹l×ÉEr}FåÍ**x‡ˆmý“XàÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F­!1' €ˆmý“XàÑ\ReġMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÉ-{NŽ¯EßÄ•34èɦ(ÿÿðD‚ EventDataAÿÿCΊoData#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA„€serNx**PˆËcGªXàÑ  «Ö& F9!0 €ËcGªXàÑຠˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî“ Ý&ÎîË|Ö Žp)·cîÿÿðP**¨‰ËcGªXàÑ  «Ö& F‹!1 €ËcGªXàÑຠ‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã ï:ÚÁ¹öǬr›fË8(~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   --SYSTEMNT AUTHORITYç-------eTak¨**ÈŠÍnZªXàÑ  «Ö& F¯!5& €ÍnZªXàÑຠ`ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ‹ºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId %ÌÈ**˜‹Ž1_ªXàÑ  «Ö& F!1 €Ž1_ªXàÑຠx‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--˜**ðŒŽ1_ªXàÑ  «Ö& F×!1@ €Ž1_ªXàÑຠxŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ëã ®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeA$ð**¨Â{ªXàÑ  «Ö& F‘!1 €Â{ªXàÑຠxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe-- ¨**(ŽÂ{ªXàÑ  «Ö& F !1@ €Â{ªXàÑຠxŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeF(**¨’G…ªXàÑ  «Ö& F!1 €’G…ªXàÑຠxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--Sec¨** ’G…ªXàÑ  «Ö& F !1@ €’G…ªXàÑຠxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivileges **˜‘t.‘ªXàÑ  «Ö& F!1 €t.‘ªXàÑຠP‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--Pr˜** ’t.‘ªXàÑ  «Ö& F…!1@ €t.‘ªXàÑຠP’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege%–„Tx **˜“Ô“ªXàÑ  «Ö& F!1 €Ô“ªXàÑຠx“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--le˜** ”Ô“ªXàÑ  «Ö& F…!1@ €Ô“ªXàÑຠx”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Pr **˜•–ö½«XàÑ  «Ö& F!1 €–ö½«XàÑ\Reg ø•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--os˜** ––ö½«XàÑ  «Ö& F…!1@ €–ö½«XàÑ\Reg ø–Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeORK **@—€2$¬XàÑ  «Ö& F'!1 €€2$¬XàÑ\Reg D—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     --ANONYMOUS LOGONNT AUTHORITY´TNtLmSsp NTLM-NTLM V1---@**˜˜ešY¬XàÑ  «Ö& F!1 €ešY¬XàÑ\Reg ø˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--nd˜** ™ešY¬XàÑ  «Ö& F…!1@ €ešY¬XàÑ\Reg ø™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeivi **pš²„:­XàÑ  «Ö& Fk!1 €²„:­XàÑ PšMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--yp**ˆ›²„:­XàÑ  «Ö& Fƒ!1@ €²„:­XàÑ P›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeiˆ**ˆœ&¯.°XàÑ  «Ö& Fƒ!1( €&¯.°XàÑ øœMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk}F“ `/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10mˆ**°&¯.°XàÑ  «Ö& F©!1 €&¯.°XàÑ øMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA‘»User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10Mi°**°ž&¯.°XàÑ  «Ö& F©!1 €&¯.°XàÑ øžMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA¿»User32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10in°**Ÿ&¯.°XàÑ  «Ö& F!1@ €&¯.°XàÑ øŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ëÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA‘»SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**p ÞĨ¶XàÑ  «Ö& Fk!1 €ÞĨ¶XàÑ T Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆ¡ÞĨ¶XàÑ  «Ö& Fƒ!1@ €ÞĨ¶XàÑ T¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p¢â4JjàÑ  «Ö& Fk!1 €â4JjàÑ ¨¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆ£â4JjàÑ  «Ö& Fƒ!1@ €â4JjàÑ ¨£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p¤Y JjàÑ  «Ö& Fk!1 €Y JjàÑ 8¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ÿp**ˆ¥Y JjàÑ  «Ö& Fƒ!1@ €Y JjàÑ 8¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p¦=þ™SjàÑ  «Ö& Fk!1 €=þ™SjàÑ 8¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆ§=þ™SjàÑ  «Ö& Fƒ!1@ €=þ™SjàÑ 8§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p¨„ SlàÑ  «Ö& Fk!1 €„ SlàÑ t¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆ©„ SlàÑ  «Ö& Fƒ!1@ €„ SlàÑ t©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ت¤KˆàÑ  «Ö& FÓ!0 €¤KˆàÑ<ªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Er ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName   bWIN-03DLIIOFRRA$WORKGROUPç÷Ÿ ßyàÑsŸKˆàÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeØ**(«Éåóý!åÑ  «Ö& F!0 €Éåóý!åÑPáü«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî“ vi(**¬)Göý!åÑ  «Ö& Fõ!1 €)Göý!åÑPáü¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã   --SYSTEMNT AUTHORITYç-------Sec**@­Îûþ!åÑ  «Ö& F#!5& €Îûþ!åÑPáü\­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ‹RÉdvap@**˜®O#þ!åÑ  «Ö& F!1 €O#þ!åÑPáüx®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--na˜** ¯O#þ!åÑ  «Ö& F…!1@ €O#þ!åÑPáüx¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeSec **¨°S—Iþ!åÑ  «Ö& F‘!1 €S—Iþ!åÑPáüx°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--¨**(±S—Iþ!åÑ  «Ö& F !1@ €S—Iþ!åÑPáüx±Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeiti(**¨²ÔSþ!åÑ  «Ö& F!1 €ÔSþ!åÑPáüP²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--ge¨** ³ÔSþ!åÑ  «Ö& F !1@ €ÔSþ!åÑPáüP³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivileget **˜´U¢\þ!åÑ  «Ö& F!1 €U¢\þ!åÑPáüP´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ke˜** µU¢\þ!åÑ  «Ö& F…!1@ €U¢\þ!åÑPáüPµMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegegot **˜¶¶_þ!åÑ  «Ö& F!1 €¶_þ!åÑPáüP¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ke˜** ·¶_þ!åÑ  «Ö& F…!1@ €¶_þ!åÑPáüP·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege- **˜¸”•/"åÑ  «Ö& F!1 €”•/"åÑ\Regt¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--Ö&˜** ¹”•/"åÑ  «Ö& F…!1@ €”•/"åÑ\Regt¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@º^eš"åÑ  «Ö& F'!1 €^eš"åÑ\RegtºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     --ANONYMOUS LOGONNT AUTHORITYmRNtLmSsp NTLM-NTLM V1---@**p»",È"åÑ  «Ö& Fk!1 €",È"åÑt»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--vp**ˆ¼",È"åÑ  «Ö& Fƒ!1@ €",È"åÑt¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p½ùwÅ"åÑ  «Ö& Fk!1 €ùwÅ"åÑx½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--vp**ˆ¾ùwÅ"åÑ  «Ö& Fƒ!1@ €ùwÅ"åÑx¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`¿~É"åÑ  «Ö& FW!1( €~É"åÑP¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk}F  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.102\w`**°À~É"åÑ  «Ö& F©!1 €~É"åÑPÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA“èUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10\w°**°Á~É"åÑ  «Ö& F©!1 €~É"åÑPÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã   @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÉèUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10iv°**Â~É"åÑ  «Ö& F!1@ €~É"åÑPÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ëÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA“èSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**pÃh "åÑ  «Ö& Fk!1 €h "åÑPÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe---p**ˆÄh "åÑ  «Ö& Fƒ!1@ €h "åÑPÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÅ+ܱ"åÑ  «Ö& Fk!1 €+ܱ"åÑüÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--yp**ˆÆ+ܱ"åÑ  «Ö& Fƒ!1@ €+ܱ"åÑüÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÇí8±"åÑ  «Ö& Fk!1 €í8±"åÑüÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆÈí8±"åÑ  «Ö& Fƒ!1@ €í8±"åÑüÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÉÎ*±"åÑ  «Ö& Fk!1 €Î*±"åÑüÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã     @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--p**ˆÊÎ*±"åÑ  «Ö& Fƒ!1@ €Î*±"åÑüÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ÐË ½ µ"åÑ  «Ö& FÅ!5( € ½ µ"åÑ ËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYåÍ ëYã™O“Oªß®@ÚÿÿÎðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ5'=AuditSourceName Aÿÿ1#= EventSourceId Aÿÿ)= ProcessId Aÿÿ-= ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditId C:\Windows\System32\VSSVC.exeBÐ**ØÌ ½ µ"åÑ  «Ö& FÓ!5) € ½ µ"åÑ ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYåÍ  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditId C:\Windows\System32\VSSVC.exeØ**xÍœÔ"åÑ  «Ö& Fm!1' €œÔ"åÑPÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÉÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÉèOwnex**àÎ/KÜÔ"åÑ ê@SÔê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $ÁÖm5DUserData! u!gL @/KÜÔ"åÑP\ Î T3[l×T3[ÓˆY}É*ë•ÄlJAÿÿ>“׫'ServiceShutdown FÄ×Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**(Ï@ÇNá"åÑ  «Ö& F!0 €@ÇNá"åÑ Þ¥ÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî“ ty(**Ð@ÇNá"åÑ  «Ö& Fõ!1 €@ÇNá"åÑ Þ¥ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã   --SYSTEMNT AUTHORITYç-------**@ÑBÒaá"åÑ  «Ö& F#!5& €BÒaá"åÑ Þ¥LÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ‹¯ÅANO@**˜Òyd'â"åÑ  «Ö& F!1 €yd'â"åÑ Þ¥DÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--˜** Óyd'â"åÑ  «Ö& F…!1@ €yd'â"åÑ Þ¥DÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege S **¨Ôœ“Aâ"åÑ  «Ö& F‘!1 €œ“Aâ"åÑ Þ¥DÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--ÜC:\Windows\System32\services.exe--i¨**(Õœ“Aâ"åÑ  «Ö& F !1@ €œ“Aâ"åÑ Þ¥DÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeoke(**¨Ö½·Hâ"åÑ  «Ö& F!1 €½·Hâ"åÑ Þ¥DÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--ÜC:\Windows\System32\services.exe--Mi¨** ×½·Hâ"åÑ  «Ö& F !1@ €½·Hâ"åÑ Þ¥D×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ØÝÛOâ"åÑ  «Ö& F!1 €ÝÛOâ"åÑ Þ¥XØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--˜** ÙÝÛOâ"åÑ  «Ö& F…!1@ €ÝÛOâ"åÑ Þ¥XÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeÚÔ. **˜Ú>=Râ"åÑ  «Ö& F!1 €>=Râ"åÑ Þ¥XÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--cu˜** Û>=Râ"åÑ  «Ö& F…!1@ €>=Râ"åÑ Þ¥XÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege  **˜ÜØã"åÑ  «Ö& F!1 €Øã"åÑ\RegDÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁã  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe-- ˜** ÝØã"åÑ  «Ö& F…!1@ €Øã"åÑ\RegDÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«ë &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege ElfChnkÞ3Þ3€0ý¨ÿ,ÇVÆÞói]ðóè=;(à Security ï:ÚÁÉï:ÚÁ¹öǬr›fË8(¬ÿÿ ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort     --ANONYMOUS LOGONNT AUTHORITYdNtLmSsp NTLM-NTLM V1---A° **pßìä"åÑ  «Ö& Fk!1 €ìä"åÑ\ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--p**ààìä"åÑ  «Ö& FÕ!1@ €ìä"åÑ\àMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-É®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList   $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeà**pá'aƒå"åÑ  «Ö& Fk!1 €'aƒå"åÑ8áMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--jp**ˆâ'aƒå"åÑ  «Ö& Fƒ!1@ €'aƒå"åÑ8âMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆãte#åÑ  «Ö& Fƒ!1( €te#åÑ8ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostøC:\Windows\System32\winlogon.exe127.0.0.10iˆ**°äte#åÑ  «Ö& F©!1 €te#åÑ8äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÐAUser32 NegotiateWIN-03DLIIOFRRA--øC:\Windows\System32\winlogon.exe127.0.0.10%–„°**°åte#åÑ  «Ö& F©!1 €te#åÑ8åMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRABUser32 NegotiateWIN-03DLIIOFRRA--øC:\Windows\System32\winlogon.exe127.0.0.10-0°**æte#åÑ  «Ö& F!1@ €te#åÑ8æMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÐASeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeiv**pçGš #åÑ  «Ö& Fk!1 €Gš #åÑXçMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--np**ˆèGš #åÑ  «Ö& Fƒ!1@ €Gš #åÑXèMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeSˆ**pé P¡#åÑ  «Ö& Fk!1 € P¡#åÑÔéMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--öp**ˆê P¡#åÑ  «Ö& Fƒ!1@ € P¡#åÑÔêMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeAˆ**pë‰MR¤#åÑ  «Ö& Fk!1 €‰MR¤#åÑ ëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--p**ˆì‰MR¤#åÑ  «Ö& Fƒ!1@ €‰MR¤#åÑ ìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeIˆ**pí©qY¤#åÑ  «Ö& Fk!1 €©qY¤#åÑ íMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--ÜC:\Windows\System32\services.exe--Yp**ˆî©qY¤#åÑ  «Ö& Fƒ!1@ €©qY¤#åÑ îMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**Ðïrå¨#åÑ  «Ö& FÅ!5( €rå¨#åÑDïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÕA ëYã™O“Oªß®@ÚÿÿÎðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ5'=AuditSourceName Aÿÿ1#= EventSourceId Aÿÿ)= ProcessId Aÿÿ-= ProcessName   :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÛC:\Windows\System32\VSSVC.exeriviÐ**Øðrå¨#åÑ  «Ö& FÓ!5) €rå¨#åÑDðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÕA  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditÛC:\Windows\System32\VSSVC.exetØ**àñ(^¬Ò+åÑ ê@S–Fê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $9Im5DUserData! u!gL @(^¬Ò+åÑDˆñ T3[äIT3[ÓˆY}É*ë•ÄlJAÿÿ> J«'ServiceShutdown F;(à Security -{NkL-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAB˜**Pó+ à+åÑ  «Ö& F9!0 €+ à+åÑÞróMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîOÝ&ÎîË|Ö Žp)·cîÿÿðP**ôfŒ à+åÑ  «Ö& Fõ!1 €fŒ à+åÑÞrôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------**Èõh—à+åÑ  «Ö& F¯!5& €h—à+åÑÞrTõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇcRºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId ÜÄÈ**˜ö?Èâà+åÑ  «Ö& F!1 €?Èâà+åÑÞrLöMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ÷?Èâà+åÑ  «Ö& F…!1@ €?Èâà+åÑÞrL÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«- &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨ø¡4øà+åÑ  «Ö& F‘!1 €¡4øà+åÑÞrLøMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--øC:\Windows\System32\services.exe--¨**(ù¡4øà+åÑ  «Ö& F !1@ €¡4øà+åÑÞrLùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨úÂXÿà+åÑ  «Ö& F!1 €ÂXÿà+åÑÞr`úMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--øC:\Windows\System32\services.exe--¨** ûÂXÿà+åÑ  «Ö& F !1@ €ÂXÿà+åÑÞr`ûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«- œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜üã|á+åÑ  «Ö& F!1 €ã|á+åÑÞrLüMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ýã|á+åÑ  «Ö& F…!1@ €ã|á+åÑÞrLýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«- &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜þCÞá+åÑ  «Ö& F!1 €CÞá+åÑÞrLþMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** ÿCÞá+åÑ  «Ö& F…!1@ €CÞá+åÑÞrLÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«- &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜Fâ+åÑ  «Ö& F!1 €Fâ+åÑ\RegPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--˜** Fâ+åÑ  «Ö& F…!1@ €Fâ+åÑ\RegPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«- &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@„gâ+åÑ  «Ö& F'!1 €„gâ+åÑ\RegPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITYJdNtLmSsp NTLM-NTLM V1---@**prœŠâ+åÑ  «Ö& Fk!1 €rœŠâ+åÑLMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆrœŠâ+åÑ  «Ö& Fƒ!1@ €rœŠâ+åÑLMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÿæuã+åÑ  «Ö& Fk!1 €ÿæuã+åÑPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆÿæuã+åÑ  «Ö& Fƒ!1@ €ÿæuã+åÑPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`|Wýí+åÑ  «Ö& FW!1( €|Wýí+åÑ@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostðC:\Windows\System32\winlogon.exe127.0.0.10`**°|Wýí+åÑ  «Ö& F©!1 €|Wýí+åÑ@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA% User32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10°**° |Wýí+åÑ  «Ö& F©!1 €|Wýí+åÑ@ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA[ User32 NegotiateWIN-03DLIIOFRRA--ðC:\Windows\System32\winlogon.exe127.0.0.10°** |Wýí+åÑ  «Ö& F!1@ €|Wýí+åÑ@ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA% SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**p /J“ô+åÑ  «Ö& Fk!1 €/J“ô+åÑ@ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆ /J“ô+åÑ  «Ö& Fƒ!1@ €/J“ô+åÑ@ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p Ý¡î/åÑ  «Ö& Fk!1 €Ý¡î/åÑ´ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆÝ¡î/åÑ  «Ö& Fƒ!1@ €Ý¡î/åÑ´ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p³×Ž0åÑ  «Ö& Fk!1 €³×Ž0åÑ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆ³×Ž0åÑ  «Ö& Fƒ!1@ €³×Ž0åÑ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pÔû•0åÑ  «Ö& Fk!1 €Ôû•0åÑ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--øC:\Windows\System32\services.exe--p**ˆÔû•0åÑ  «Ö& Fƒ!1@ €Ôû•0åÑ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«-  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**Ø´ZÒ0åÑ  «Ö& FÓ!5( €´ZÒ0åÑœ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÕA  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditUšEˆC:\Windows\System32\VSSVC.exeØ**Ø´ZÒ0åÑ  «Ö& FÓ!5) €´ZÒ0åÑœ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ëYÕA  :WIN-03DLIIOFRRA$WORKGROUPçVSSAuditUšEˆC:\Windows\System32\VSSVC.exeØ**(ó30åÑ  «Ö& F!5+ €ó30åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«TØ®b¨ãb]Áh˺‘~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= ObjectServer Aÿÿ+= ObjectType Aÿÿ+= ObjectName Aÿÿ'=HandleId Aÿÿ!=OldSd Aÿÿ!=NewSd Aÿÿ)= ProcessId Aÿÿ-= ProcessName   >FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wecutil.exe¬S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe(**ó30åÑ  «Ö& F…!5+ €ó30åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  <FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wecsvc.dll€S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe**ó30åÑ  «Ö& F…!5+ €ó30åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  <FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wecapi.dllDS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe**ó30åÑ  «Ö& F‡!5+ €ó30åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  >FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wecutil.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe**T60åÑ  «Ö& F…!5+ €T60åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  <FRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wecapi.dll¬S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe**àIЫ0åÑ  «Ö& FÕ!5+ €IЫ0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  Æ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\49d0ab1330e5d10158080000a4071c08.Windows PowerShell (x86).lnkÜ S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeà**ÐIЫ0åÑ  «Ö& FÉ!5+ €IЫ0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  º RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\49d0ab1330e5d10159080000a4071c08.Windows PowerShell.lnk@ S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÐ**È©1®0åÑ  «Ö& FÁ!5+ €©1®0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ² RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\a931ae1330e5d1015a080000a4071c08.PSDiagnostics.psd1Ì S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÈ**È©1®0åÑ  «Ö& FÁ!5+ €©1®0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ² RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\a931ae1330e5d1015b080000a4071c08.PSDiagnostics.psm1(S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÈ**¸jô²0åÑ  «Ö& F³!5+ €jô²0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ¤ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\6af4b21330e5d1015c080000a4071c08.profile.ps1äS:ARAI¤C:\Windows\servicing\TrustedInstaller.exe¸**ðY10åÑ  «Ö& Fë!5+ €Y10åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  àRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk¼ S:AI¤C:\Windows\servicing\TrustedInstaller.exeð**è Y10åÑ  «Ö& Fß!5+ €Y10åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ÔRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk¼ S:AI¤C:\Windows\servicing\TrustedInstaller.exeè** !Y10åÑ  «Ö& F—!5+ €Y10åÑ,!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  NFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WSManHTTPConfig.exeœS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe ** "Y10åÑ  «Ö& F—!5+ €Y10åÑ,"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  NFRWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\DscCoreConfProv.dll$ S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)¤C:\Windows\servicing\TrustedInstaller.exe **à#‰Ž½0åÑ  «Ö& FÕ!5+ €‰Ž½0åÑ,#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  Æ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\898ebd1430e5d10131090000a4071c08.Windows PowerShell (x86).lnkXS:ARAI¤C:\Windows\servicing\TrustedInstaller.exeà**Ð$‰Ž½0åÑ  «Ö& FÉ!5+ €‰Ž½0åÑ,$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  º RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\898ebd1430e5d10132090000a4071c08.Windows PowerShell.lnk\S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÐ**È%éï¿0åÑ  «Ö& FÁ!5+ €éï¿0åÑ,%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ² RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\898ebd1430e5d10133090000a4071c08.PSDiagnostics.psd1DS:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÈ**È&éï¿0åÑ  «Ö& FÁ!5+ €éï¿0åÑ,&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ² RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\898ebd1430e5d10134090000a4071c08.PSDiagnostics.psm1ìS:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÈ**¸'IQÂ0åÑ  «Ö& F³!5+ €IQÂ0åÑ,'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ¤ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\4951c21430e5d10135090000a4071c08.profile.ps1p S:ARAI¤C:\Windows\servicing\TrustedInstaller.exe¸**à(i‘0åÑ  «Ö& FÕ!5+ €i‘0åÑ,(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  Æ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\0169911530e5d101070a0000a4071c08.Windows PowerShell (x86).lnk8 S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeà**Ð)i‘0åÑ  «Ö& FÉ!5+ €i‘0åÑ,)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  º RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\0169911530e5d101080a0000a4071c08.Windows PowerShell.lnkÐS:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÐ**È*aÊ“0åÑ  «Ö& FÁ!5+ €aÊ“0åÑ,*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ² RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\61ca931530e5d101090a0000a4071c08.PSDiagnostics.psd1È S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÈ**È+aÊ“0åÑ  «Ö& FÁ!5+ €aÊ“0åÑ,+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ² RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\61ca931530e5d1010a0a0000a4071c08.PSDiagnostics.psm1h S:ARAI¤C:\Windows\servicing\TrustedInstaller.exeÈ**¸,Â+–0åÑ  «Ö& F³!5+ €Â+–0åÑ,,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  ¤ RWIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\winsxs\Temp\PendingRenames\c22b961530e5d1010b0a0000a4071c08.profile.ps18S:ARAI¤C:\Windows\servicing\TrustedInstaller.exe¸**x-GU;0åÑ  «Ö& Fm!1' €GU;0åÑœ -Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NkLÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA[ x**à.8‰¥;0åÑ  «Ö& F×!5+ €8‰¥;0åÑ,.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  à>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnkS:AI@ C:\Windows\System32\poqexec.exeà**Ð/˜ê§;0åÑ  «Ö& FË!5+ €˜ê§;0åÑ,/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  Ô>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkS:AI@ C:\Windows\System32\poqexec.exeÐ**ˆ0˜ê§;0åÑ  «Ö& Fƒ!5+ €˜ê§;0åÑ,0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  NF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WSManHTTPConfig.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆ1˜ê§;0åÑ  «Ö& Fƒ!5+ €˜ê§;0åÑ,1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  NF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\DscCoreConfProv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**€2˜ê§;0åÑ  «Ö& Fy!5+ €˜ê§;0åÑ,2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\framedynos.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**x3˜ê§;0åÑ  «Ö& Fq!5+ €˜ê§;0åÑ,3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b«  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WsmSvc.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexElfChnk4’4’€Àû@þ2g8Çë™âóè =Î÷²›f?øm©MFº&»**è 4ùKª;0åÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F5!5+ €ùKª;0åÑ,4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WsmRes.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe è **x5ùKª;0åÑ  «Ö& Fq!5+ €ùKª;0åÑ,5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wecsvc.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exet-x**€6ùKª;0åÑ  «Ö& Fu!5+ €ùKª;0åÑ,6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wsmplpxy.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeows-€**€7ùKª;0åÑ  «Ö& F{!5+ €ùKª;0åÑ,7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\pwrshplugin.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeg€**€8Y­¬;0åÑ  «Ö& Fw!5+ €Y­¬;0åÑ,8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrshost.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetin€**Ø9Y­¬;0åÑ  «Ö& FÍ!5+ €Y­¬;0åÑ,9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˜F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Microsoft.Management.Infrastructure.Native.Unmanaged.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeNT AØ**x:Y­¬;0åÑ  «Ö& Fo!5+ €Y­¬;0åÑ,:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrm.vbsS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex** ;Y­¬;0åÑ  «Ö& F—!5+ €Y­¬;0åÑ,;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  bF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\PSModuleDiscoveryProvider.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÿ5 **x<Y­¬;0åÑ  «Ö& Fs!5+ €Y­¬;0åÑ,<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wevtfwd.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeex**p=¹¯;0åÑ  «Ö& Fi!5+ €¹¯;0åÑ,=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  4F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\mi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeAp**€>¹¯;0åÑ  «Ö& Fu!5+ €¹¯;0åÑ,>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\framedyn.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe32 N€**x?¹¯;0åÑ  «Ö& Fo!5+ €¹¯;0åÑ,?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrs.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exelegx**x@¹¯;0åÑ  «Ö& Fs!5+ €¹¯;0åÑ,@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wmidcom.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**€Ap±;0åÑ  «Ö& Fu!5+ €p±;0åÑ,AMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrscmd.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeUTHO€**€Bp±;0åÑ  «Ö& F{!5+ €p±;0åÑ,BMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\prvdmofcomp.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**Cp±;0åÑ  «Ö& F‰!5+ €p±;0åÑ,CMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  TF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wsmanconfig_schema.xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeF**€Dp±;0åÑ  «Ö& F{!5+ €p±;0åÑ,DMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wsmprovhost.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe €**€Ep±;0åÑ  «Ö& Fu!5+ €p±;0åÑ,EMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WsmAgent.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeYç€**€Fzѳ;0åÑ  «Ö& Fu!5+ €zѳ;0åÑ,FMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WsmWmiPl.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exelege€**€Gzѳ;0åÑ  «Ö& Fu!5+ €zѳ;0åÑ,GMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrssrv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeg%–„Tx€**xHzѳ;0åÑ  «Ö& Fs!5+ €zѳ;0åÑ,HMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\miutils.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**€Izѳ;0åÑ  «Ö& Fu!5+ €zѳ;0åÑ,IMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\ncobjapi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeonat€**€JÚ2¶;0åÑ  «Ö& Fy!5+ €Ú2¶;0åÑ,JMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\mimofcodec.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeAÿÿ€**xKÚ2¶;0åÑ  «Ö& Fs!5+ €Ú2¶;0åÑ,KMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WsmAuto.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**€LÚ2¶;0åÑ  «Ö& Fw!5+ €Ú2¶;0åÑ,LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbemcomn2.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**˜MÚ2¶;0åÑ  «Ö& F!5+ €Ú2¶;0åÑ,MMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WSManMigrationPlugin.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe/ev˜**€NÚ2¶;0åÑ  «Ö& Fy!5+ €Ú2¶;0åÑ,NMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\mibincodec.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeme€**€O:”¸;0åÑ  «Ö& Fw!5+ €:”¸;0åÑ,OMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WsmGCDeps.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe €fŒ€**xP:”¸;0åÑ  «Ö& Fq!5+ €:”¸;0åÑ,PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wecapi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetix** Q:”¸;0åÑ  «Ö& F—!5+ €:”¸;0åÑ,QMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  bF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\psmodulediscoveryprovider.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe **xR:”¸;0åÑ  «Ö& Fs!5+ €:”¸;0åÑ,RMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wecutil.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeex**˜S:”¸;0åÑ  «Ö& F!5+ €:”¸;0åÑ,SMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Register-CimProvider.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜**xT:”¸;0åÑ  «Ö& Fs!5+ €:”¸;0åÑ,TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\DscCore.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**xU›õº;0åÑ  «Ö& Fs!5+ €›õº;0åÑ,UMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wmitomi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetx**€V›õº;0åÑ  «Ö& Fu!5+ €›õº;0åÑ,VMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrsmgr.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**ˆW›õº;0åÑ  «Ö& Fƒ!5+ €›õº;0åÑ,WMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  NF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\Winrs.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe>ˆ** X›õº;0åÑ  «Ö& F—!5+ €›õº;0åÑ,XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  bF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\DscCoreConfProv.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeà Se **YûV½;0åÑ  «Ö& F‡!5+ €ûV½;0åÑ,YMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\wecutil.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exege**¨ZûV½;0åÑ  «Ö& F£!5+ €ûV½;0åÑ,ZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\psmodulediscoveryprovider.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¨**¨[ûV½;0åÑ  «Ö& F¡!5+ €ûV½;0åÑ,[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\register-cimprovider.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exees¨**˜\ûV½;0åÑ  «Ö& F!5+ €ûV½;0åÑ,\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\mibincodec.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWORK˜**]ûV½;0åÑ  «Ö& F‡!5+ €ûV½;0åÑ,]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\wmitomi.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exePri**˜^[¸¿;0åÑ  «Ö& F!5+ €[¸¿;0åÑ,^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ZF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\pwrshplugin.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\˜**_[¸¿;0åÑ  «Ö& F‡!5+ €[¸¿;0åÑ,_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\miutils.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe%–„Tx**`[¸¿;0åÑ  «Ö& F…!5+ €[¸¿;0åÑ,`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\WsmRes.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exey **a[¸¿;0åÑ  «Ö& F…!5+ €[¸¿;0åÑ,aMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\wecsvc.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**b[¸¿;0åÑ  «Ö& F‡!5+ €[¸¿;0åÑ,bMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\wevtfwd.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**ˆc»Â;0åÑ  «Ö& F}!5+ €»Â;0åÑ,cMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\mi.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exelegeˆ**d»Â;0åÑ  «Ö& F…!5+ €»Â;0åÑ,dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\WsmSvc.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeLIIO**°e»Â;0åÑ  «Ö& F«!5+ €»Â;0åÑ,eMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\PSModuleDiscoveryProvider.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exet°**f»Â;0åÑ  «Ö& F‡!5+ €»Â;0åÑ,fMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\DscCore.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeA[ **˜g»Â;0åÑ  «Ö& F!5+ €»Â;0åÑ,gMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\en-US\mimofcodec.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exee ˜**8h»Â;0åÑ  «Ö& F3!5+ €»Â;0åÑ,hMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  þF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\Registration\MSFT_FileDirectoryConfiguration\MSFT_FileDirectoryConfiguration.Registration.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exee8**Hi{Ä;0åÑ  «Ö& F?!5+ €{Ä;0åÑ,iMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\Registration\MSFT_FileDirectoryConfiguration\en-US\MSFT_FileDirectoryConfiguration.Registration.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exelegH**àj{Ä;0åÑ  «Ö& FÕ!5+ €{Ä;0åÑ,jMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\BaseRegistration\MSFT_DSCMetaConfiguration.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeindoà**Ðk{Ä;0åÑ  «Ö& FÉ!5+ €{Ä;0åÑ,kMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\BaseRegistration\BaseResource.Schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSeÐ**èl{Ä;0åÑ  «Ö& Fá!5+ €{Ä;0åÑ,lMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\BaseRegistration\en-US\MSFT_DSCMetaConfiguration.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe Nè**àm{Ä;0åÑ  «Ö& FÕ!5+ €{Ä;0åÑ,mMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\BaseRegistration\en-US\BaseResource.Schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe à** n|ÜÆ;0åÑ  «Ö& F!5+ €|ÜÆ;0åÑ,nMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  æF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\Schema\MSFT_FileDirectoryConfiguration\MSFT_FileDirectoryConfiguration.Schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exet **0o|ÜÆ;0åÑ  «Ö& F'!5+ €|ÜÆ;0åÑ,oMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  òF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\MSFT_FileDirectoryConfiguration.Schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe 0**p|ÜÆ;0åÑ  «Ö& F…!5+ €|ÜÆ;0åÑ,pMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\winrm\0409\winrm.iniS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\VSS**ˆq|ÜÆ;0åÑ  «Ö& F!5+ €|ÜÆ;0åÑ,qMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wbemcore.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeMiˆ**ˆrÜ=É;0åÑ  «Ö& F!5+ €Ü=É;0åÑ,rMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\SMTPCons.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆsÜ=É;0åÑ  «Ö& F}!5+ €Ü=É;0åÑ,sMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WMIADAP.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe €ó3ˆ**ˆtÜ=É;0åÑ  «Ö& F!5+ €Ü=É;0åÑ,tMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\fastprox.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆuÜ=É;0åÑ  «Ö& F}!5+ €Ü=É;0åÑ,uMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wbemsvc.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe‡!ˆ**ˆvÜ=É;0åÑ  «Ö& F!5+ €Ü=É;0åÑ,vMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\repdrvfs.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆw<ŸË;0åÑ  «Ö& F}!5+ €<ŸË;0åÑ,wMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wbemess.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeFˆ**ˆx<ŸË;0åÑ  «Ö& F!5+ €<ŸË;0åÑ,xMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WmiApSrv.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆy<ŸË;0åÑ  «Ö& F!5+ €<ŸË;0åÑ,yMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WmiPrvSE.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerviˆ**ˆz<ŸË;0åÑ  «Ö& F}!5+ €<ŸË;0åÑ,zMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\DscCore.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exes.psˆ**ˆ{Î;0åÑ  «Ö& F!5+ €Î;0åÑ,{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WmiPrvSD.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe015ˆ**€|Î;0åÑ  «Ö& Fw!5+ €Î;0åÑ,|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\mofd.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exes\T€**ˆ}Î;0åÑ  «Ö& F!5+ €Î;0åÑ,}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WMICOOKR.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeritˆ**ˆ~Î;0åÑ  «Ö& Fƒ!5+ €Î;0åÑ,~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  NF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\mofinstall.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆÎ;0åÑ  «Ö& F}!5+ €Î;0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\stdprov.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerityˆ**ˆ€ýaÐ;0åÑ  «Ö& F!5+ €ýaÐ;0åÑ,€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wmitimep.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeindˆ**ˆýaÐ;0åÑ  «Ö& F}!5+ €ýaÐ;0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WinMgmt.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeMiˆ**€‚ýaÐ;0åÑ  «Ö& F{!5+ €ýaÐ;0åÑ,‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\NCProv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**˜ƒýaÐ;0åÑ  «Ö& F!5+ €ýaÐ;0åÑ,ƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\DscCoreConfProv.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**˜**ˆ„]ÃÒ;0åÑ  «Ö& F!5+ €]ÃÒ;0åÑ,„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wbemprox.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerviˆ**ˆ…]ÃÒ;0åÑ  «Ö& F!5+ €]ÃÒ;0åÑ,…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WsmAgent.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe.psˆ**ˆ†]ÃÒ;0åÑ  «Ö& F}!5+ €]ÃÒ;0åÑ,†Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\scrcons.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe1013ˆ**ˆ‡]ÃÒ;0åÑ  «Ö& F!5+ €]ÃÒ;0åÑ,‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WmiApRes.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exengRˆ**ˆˆ]ÃÒ;0åÑ  «Ö& F!5+ €]ÃÒ;0åÑ,ˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WmiDcPrv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeçˆ**ˆ‰]ÃÒ;0åÑ  «Ö& F!5+ €]ÃÒ;0åÑ,‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\unsecapp.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆŠ¾$Õ;0åÑ  «Ö& F!5+ €¾$Õ;0åÑ,ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WinMgmtR.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeritˆ**ˆ‹¾$Õ;0åÑ  «Ö& F!5+ €¾$Õ;0åÑ,‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wbemtest.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exews-ˆ**€Œ¾$Õ;0åÑ  «Ö& F{!5+ €¾$Õ;0åÑ,ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WMIsvc.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;€**ˆ¾$Õ;0åÑ  «Ö& F!5+ €¾$Õ;0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WmiApRpl.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeritˆ**ˆŽ¾$Õ;0åÑ  «Ö& F!5+ €¾$Õ;0åÑ,ŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wbemcons.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**†×;0åÑ  «Ö& F‹!5+ €†×;0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  VF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\Dscpspluginwkr.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exet**˜†×;0åÑ  «Ö& F‘!5+ €†×;0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\WsmAgentUninstall.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe«˜**ˆ‘†×;0åÑ  «Ö& F!5+ €†×;0åÑ,‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\wmiutils.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe®b«ˆ**€’†×;0åÑ  «Ö& F{!5+ €†×;0åÑ,’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\esscli.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€    «Ö& Fç5+ €†×;0åÑ,“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  indows\SysteWIN-03DLIIOFRRA$WORKGROUPçSecurityFileElfChnk“æ“æ€XúÀýð¯„mPÇâóè =Î÷²›f?øm©MFº&»**ø “†×;0åÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! FA!5+ €†×;0åÑ,“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\mofcomp.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe5ø **˜”~çÙ;0åÑ  «Ö& F“!5+ €~çÙ;0åÑ,”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\wmiutils.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜**˜•~çÙ;0åÑ  «Ö& F“!5+ €~çÙ;0åÑ,•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\WmiApSrv.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜** –~çÙ;0åÑ  «Ö& F™!5+ €~çÙ;0åÑ,–Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  dF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\DscCoreConfProv.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeF **—~çÙ;0åÑ  «Ö& F‰!5+ €~çÙ;0åÑ,—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  TF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\DscCore.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**˜~çÙ;0åÑ  «Ö& F‹!5+ €~çÙ;0åÑ,˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  VF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\mofd.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**˜™ÞHÜ;0åÑ  «Ö& F“!5+ €ÞHÜ;0åÑ,™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\wbemcore.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜**˜šÞHÜ;0åÑ  «Ö& F“!5+ €ÞHÜ;0åÑ,šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\wbemtest.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜**˜›ÞHÜ;0åÑ  «Ö& F‘!5+ €ÞHÜ;0åÑ,›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\WinMgmt.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeF˜**˜œÞHÜ;0åÑ  «Ö& F‘!5+ €ÞHÜ;0åÑ,œMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\mofcomp.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜**˜?ªÞ;0åÑ  «Ö& F!5+ €?ªÞ;0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ZF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\NCProv.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeros˜**˜ž?ªÞ;0åÑ  «Ö& F“!5+ €?ªÞ;0åÑ,žMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\WinMgmtR.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeu˜**˜Ÿ?ªÞ;0åÑ  «Ö& F“!5+ €?ªÞ;0åÑ,ŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\WmiApRes.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex˜**˜ ?ªÞ;0åÑ  «Ö& F“!5+ €?ªÞ;0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\WmiApRpl.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exet˜**˜¡?ªÞ;0åÑ  «Ö& F‘!5+ €?ªÞ;0åÑ,¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\scrcons.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe ˜**˜¢Ÿ á;0åÑ  «Ö& F!5+ €Ÿ á;0åÑ,¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ZF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\en-US\WMIsvc.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe˜**£Ÿ á;0åÑ  «Ö& F…!5+ €Ÿ á;0åÑ,£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\wbem\xml\wmi2xml.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe@**ˆ¤Ÿ á;0åÑ  «Ö& F}!5+ €Ÿ á;0åÑ,¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\dsc\DscCoreR.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**°¥Ÿ á;0åÑ  «Ö& F©!5+ €Ÿ á;0åÑ,¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  tF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\dsc\PSDSCFileDownloadManagerEvents.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeOF°**˜¦Ÿ á;0åÑ  «Ö& F‘!5+ €Ÿ á;0åÑ,¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\dsc\en-US\DscCoreR.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeOU˜**ȧÿlã;0åÑ  «Ö& F½!5+ €ÿlã;0åÑ,§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˆF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\dsc\en-US\PSDSCFileDownloadManagerEvents.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\ncoÈ**¨¨ÿlã;0åÑ  «Ö& F!5+ €ÿlã;0åÑ,¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  hF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\migration\WMIMigrationPlugin.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe:ARA¨**¨©ÿlã;0åÑ  «Ö& F£!5+ €ÿlã;0åÑ,©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\pwrshmsg.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeW¨**°ªÿlã;0åÑ  «Ö& F§!5+ €ÿlã;0åÑ,ªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeyst°**¸«_Îå;0åÑ  «Ö& F¯!5+ €_Îå;0åÑ,«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexe¸**Ȭ_Îå;0åÑ  «Ö& F½!5+ €_Îå;0åÑ,¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˆF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**À­_Îå;0åÑ  «Ö& F·!5+ €_Îå;0åÑ,­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÀ**È®_Îå;0åÑ  «Ö& F½!5+ €_Îå;0åÑ,®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˆF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe.configS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerityÈ**¸¯_Îå;0åÑ  «Ö& F±!5+ €_Îå;0åÑ,¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  |F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Event.Format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe„Tx¸**¸°À/è;0åÑ  «Ö& F±!5+ €À/è;0åÑ,°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  |F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¸**¨±À/è;0åÑ  «Ö& F£!5+ €À/è;0åÑ,±Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¨**°² ‘ê;0åÑ  «Ö& F§!5+ € ‘ê;0åÑ,²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeRA$°**¸³ ‘ê;0åÑ  «Ö& F³!5+ € ‘ê;0åÑ,³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exed¸**¸´€òì;0åÑ  «Ö& F¯!5+ €€òì;0åÑ,´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr-v3.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeexe¸**¨µ€òì;0åÑ  «Ö& F£!5+ €€òì;0åÑ,µMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¨**À¶€òì;0åÑ  «Ö& F»!5+ €€òì;0åÑ,¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeCÀ**È·€òì;0åÑ  «Ö& FÃ!5+ €€òì;0åÑ,·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe@È**¨¸áSï;0åÑ  «Ö& F£!5+ €áSï;0åÑ,¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\PSEvents.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¨**¸¹áSï;0åÑ  «Ö& F¯!5+ €áSï;0åÑ,¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeste¸**°ºáSï;0åÑ  «Ö& F©!5+ €áSï;0åÑ,ºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  tF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexe°**(»áSï;0åÑ  «Ö& F#!5+ €áSï;0åÑ,»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  îF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;(**ð¼Aµñ;0åÑ  «Ö& Fë!5+ €Aµñ;0åÑ,¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¶F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexð**ð½Aµñ;0åÑ  «Ö& Fë!5+ €Aµñ;0åÑ,½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¶F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeð**ؾAµñ;0åÑ  «Ö& FÏ!5+ €Aµñ;0åÑ,¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSecØ**¿Aµñ;0åÑ  «Ö& F !5+ €Aµñ;0åÑ,¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÖF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;**0ÀAµñ;0åÑ  «Ö& F'!5+ €Aµñ;0åÑ,ÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  òF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe«Ö&0**¸ÁAµñ;0åÑ  «Ö& F³!5+ €Aµñ;0åÑ,ÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¸**¸Â¡ô;0åÑ  «Ö& F³!5+ €¡ô;0åÑ,ÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\ISE\ise.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¸** áô;0åÑ  «Ö& F!5+ €¡ô;0åÑ,ÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  âF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetin ** Ä¡ô;0åÑ  «Ö& F!5+ €¡ô;0åÑ,ÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  âF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeecu **øÅ¡ô;0åÑ  «Ö& Fñ!5+ €¡ô;0åÑ,ÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¼F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.Format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeø**èÆ¡ô;0åÑ  «Ö& Fß!5+ €¡ô;0åÑ,ÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ªF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**øÇ¡ô;0åÑ  «Ö& Fï!5+ €¡ô;0åÑ,ÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ºF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.types.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerosø**ØÈxö;0åÑ  «Ö& FÏ!5+ €xö;0åÑ,ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exemØ**ØÉxö;0åÑ  «Ö& FÏ!5+ €xö;0åÑ,ÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeØ**èÊxö;0åÑ  «Ö& Fß!5+ €xö;0åÑ,ÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ªF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.types.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**¨Ëxö;0åÑ  «Ö& F!5+ €xö;0åÑ,ËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1S:AI@ C:\Windows\System32\poqexec.exeows\¨**¨Ìxö;0åÑ  «Ö& F!5+ €xö;0åÑ,ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1S:AI@ C:\Windows\System32\poqexec.exepoqe¨** ÍbÙø;0åÑ  «Ö& F!5+ €bÙø;0åÑ,ÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  æF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe **ÎbÙø;0åÑ  «Ö& F !5+ €bÙø;0åÑ,ÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÔF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Test-DscConfiguration.cdxmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe **0ÏbÙø;0åÑ  «Ö& F%!5+ €bÙø;0åÑ,ÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ðF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWind0**ÐbÙø;0åÑ  «Ö& F!5+ €bÙø;0åÑ,ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÒF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Get-DscConfiguration.cdxmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWD)**ÑbÙø;0åÑ  «Ö& F!5+ €bÙø;0åÑ,ÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÚF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Restore-DscConfiguration.cdxmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**(ÒbÙø;0åÑ  «Ö& F!5+ €bÙø;0åÑ,ÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  êF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Get-DSCLocalConfigurationManager.cdxmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetin(**ÓÂ:û;0åÑ  «Ö& F!5+ €Â:û;0åÑ,ÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÞF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe$**ÔÂ:û;0åÑ  «Ö& F!5+ €Â:û;0åÑ,ÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÞF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe(**0ÕÂ:û;0åÑ  «Ö& F'!5+ €Â:û;0åÑ,ÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  òF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\WebDownloadManager.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe0**`ÖÂ:û;0åÑ  «Ö& FW!5+ €Â:û;0åÑ,ÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  "F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DownloadManager\DSCFileDownloadManager\DSCFileDownloadManager.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerit`**ˆ×Â:û;0åÑ  «Ö& F!5+ €Â:û;0åÑ,×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  LF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DownloadManager\DSCFileDownloadManager\Microsoft.PowerShell.DSC.FileDownloadManager.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeARˆ** Ø"œý;0åÑ  «Ö& F›!5+ €"œý;0åÑ,ØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  fF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DownloadManager\DSCFileDownloadManager\en\Microsoft.PowerShell.DSC.FileDownloadManager.Resources.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe **8Ù"œý;0åÑ  «Ö& F1!5+ €"œý;0åÑ,ÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  üF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\PSDesiredStateConfiguration.Resource.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe8**pÚ"œý;0åÑ  «Ö& Fe!5+ €"œý;0åÑ,ÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  0F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\MSFT_EnvironmentResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDWDWp**`Û"œý;0åÑ  «Ö& FY!5+ €"œý;0åÑ,ÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  $F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\MSFT_EnvironmentResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe`**xÜ"œý;0åÑ  «Ö& Fq!5+ €"œý;0åÑ,ÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\MSFT_EnvironmentResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDLx**€Ý‚ýÿ;0åÑ  «Ö& Fu!5+ €‚ýÿ;0åÑ,ÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\MSFT_EnvironmentResource.strings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exews\S€**PÞ‚ýÿ;0åÑ  «Ö& FI!5+ €‚ýÿ;0åÑ,ÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\MSFT_UserResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeP**Hß‚ýÿ;0åÑ  «Ö& F=!5+ €‚ýÿ;0åÑ,ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\MSFT_UserResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWIN-H**`à‚ýÿ;0åÑ  «Ö& FU!5+ €‚ýÿ;0åÑ,àMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\MSFT_UserResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDWO;`**`á‚ýÿ;0åÑ  «Ö& FY!5+ €‚ýÿ;0åÑ,áMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  $F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\MSFT_UserResource.strings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe`**Pâã^<0åÑ  «Ö& FE!5+ €ã^<0åÑ,âMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\MSFT_LogResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeP**Xãã^<0åÑ  «Ö& FQ!5+ €ã^<0åÑ,ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\en-US\MSFT_LogResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exePCX**Päã^<0åÑ  «Ö& FI!5+ €ã^<0åÑ,äMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\MSFT_PackageResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeP**`åã^<0åÑ  «Ö& FU!5+ €ã^<0åÑ,åMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\MSFT_PackageResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe `**hæã^<0åÑ  «Ö& Fa!5+ €ã^<0åÑ,æMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ,F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\en-US\MSFT_PackageResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe(AhSAFA;DCLCRPC  «Ö& Fc.5+ €ã^<0åÑ,çMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  t-Windows-SeWIN-03DLIIOFRRA$WORKGROUPçSecurityFileindows\SysteWIN-03DLIIOFRRA$WORKGROUPçSecurityFileElfChnkç7ç7€Èû˜þV–é«2dâóè =Î÷²›f?øm©MFº&»**È çã^<0åÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F!5+ €ã^<0åÑ,çMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\en-US\PackageProvider.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerityÈ **`èCÀ<0åÑ  «Ö& FU!5+ €CÀ<0åÑ,èMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\MSFT_ServiceResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeurit`**PéCÀ<0åÑ  «Ö& FI!5+ €CÀ<0åÑ,éMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\MSFT_ServiceResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;WP**pêCÀ<0åÑ  «Ö& Fe!5+ €CÀ<0åÑ,êMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  0F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\en-US\MSFT_ServiceResource.strings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeåÑp**hëCÀ<0åÑ  «Ö& Fa!5+ €CÀ<0åÑ,ëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ,F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\en-US\MSFT_ServiceResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeOFh**Pì£!<0åÑ  «Ö& FI!5+ €£!<0åÑ,ìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\MSFT_RoleResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSAP**Híƒ <0åÑ  «Ö& F=!5+ €ƒ <0åÑ,íMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\MSFT_RoleResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeH**`îƒ <0åÑ  «Ö& FU!5+ €ƒ <0åÑ,îMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\MSFT_RoleResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeurit`**`ïƒ <0åÑ  «Ö& FW!5+ €ƒ <0åÑ,ïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  "F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\MSFT_RoleResourceStrings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exem32`**Pðdä <0åÑ  «Ö& FI!5+ €dä <0åÑ,ðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\MSFT_ProcessResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\pP**`ñdä <0åÑ  «Ö& FU!5+ €dä <0åÑ,ñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\MSFT_ProcessResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeoft-`**pòdä <0åÑ  «Ö& Fe!5+ €dä <0åÑ,òMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  0F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\MSFT_ProcessResource.strings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exePçp**hódä <0åÑ  «Ö& Fa!5+ €dä <0åÑ,óMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ,F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\MSFT_ProcessResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exedoh**Hôdä <0åÑ  «Ö& FA!5+ €dä <0åÑ,ôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\MSFT_GroupResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe á;H**Xõdä <0åÑ  «Ö& FM!5+ €dä <0åÑ,õMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\MSFT_GroupResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\X**`öÄE<0åÑ  «Ö& FY!5+ €ÄE<0åÑ,öMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  $F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\MSFT_GroupResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exewn`**h÷ÄE<0åÑ  «Ö& F]!5+ €ÄE<0åÑ,÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  (F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\MSFT_GroupResource.strings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexec.h**`øÄE<0åÑ  «Ö& FY!5+ €ÄE<0åÑ,øMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  $F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\MSFT_RegistryResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeos`**XùÄE<0åÑ  «Ö& FM!5+ €ÄE<0åÑ,ùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\MSFT_RegistryResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeX**púÄE<0åÑ  «Ö& Fi!5+ €ÄE<0åÑ,úMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  4F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.strings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeTyp**pû$§<0åÑ  «Ö& Fe!5+ €$§<0åÑ,ûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  0F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeexecp**Pü$§<0åÑ  «Ö& FE!5+ €$§<0åÑ,üMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\MSFT_ScriptResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe±!P**Xý$§<0åÑ  «Ö& FQ!5+ €$§<0åÑ,ýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\MSFT_ScriptResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe X**hþ$§<0åÑ  «Ö& F_!5+ €$§<0åÑ,þMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  *F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\en-US\MSFT_ScriptResourceStrings.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exem32h**hÿ$§<0åÑ  «Ö& F]!5+ €$§<0åÑ,ÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  (F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\en-US\MSFT_ScriptResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSysth**P…<0åÑ  «Ö& FI!5+ €…<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\MSFT_ArchiveResource.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeP**`…<0åÑ  «Ö& FU!5+ €…<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\MSFT_ArchiveResource.schema.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe `**h…<0åÑ  «Ö& Fa!5+ €…<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ,F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\en-US\MSFT_ArchiveResource.schema.mflS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exewsh**P…<0åÑ  «Ö& FK!5+ €…<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\en-US\ArchiveProvider.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSP**…<0åÑ  «Ö& F!5+ €…<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÚF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¹**Ðåi<0åÑ  «Ö& FÉ!5+ €åi<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\ProviderHelp.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÖ&Ð**Èåi<0åÑ  «Ö& FÁ!5+ €åi<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŒF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineUi.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**èåi<0åÑ  «Ö& Fã!5+ €åi<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\ManagedDeveloperStructure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;è**èåi<0åÑ  «Ö& Fã!5+ €åi<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedStructure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeeè**è åi<0åÑ  «Ö& Fã!5+ €åi<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedInterface.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexè**Ø åi<0åÑ  «Ö& FÏ!5+ €åi<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\baseConditional.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexecØ**È EË<0åÑ  «Ö& FÁ!5+ €EË<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŒF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\glossary.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDWÈ**è EË<0åÑ  «Ö& Fã!5+ €EË<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedNamespace.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exesè**È EË<0åÑ  «Ö& FÃ!5+ €EË<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\hierarchy.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**èEË<0åÑ  «Ö& FÝ!5+ €EË<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¨F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedMethod.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exePCRSè**ÀEË<0åÑ  «Ö& F»!5+ €EË<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\block.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerÀ**ØEË<0åÑ  «Ö& FÑ!5+ €EË<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManaged.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeofØ**ÈEË<0åÑ  «Ö& FÃ!5+ €EË<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developer.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetÈ**Ø¥,<0åÑ  «Ö& FÑ!5+ €¥,<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerCommand.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeilØ**À¥,<0åÑ  «Ö& F·!5+ €¥,<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\faq.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeORKÀ**è¥,<0åÑ  «Ö& FÝ!5+ €¥,<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¨F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTaskExecution.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeIIOFè**Ø¥,<0åÑ  «Ö& FÏ!5+ €¥,<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml_HTML_Style.xslS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeIOFØ**Ø¥,<0åÑ  «Ö& FÍ!5+ €¥,<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˜F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeIIOFØ**Ð¥,<0åÑ  «Ö& FË!5+ €¥,<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  –F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerXaml.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÐ**ÀŽ<0åÑ  «Ö& F¹!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.tbrS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeOFÀ**ÈŽ<0åÑ  «Ö& F½!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˆF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\inline.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exePçÈ**èŽ<0åÑ  «Ö& Fá!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedOverload.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**ÐŽ<0åÑ  «Ö& FÉ!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineCommon.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe»Ð**ÀŽ<0åÑ  «Ö& F¹!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeMiÀ**àŽ<0åÑ  «Ö& FÛ!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedClass.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeà**èŽ<0åÑ  «Ö& Fá!5+ €Ž<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedDelegate.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**àfï<0åÑ  «Ö& FÕ!5+ €fï<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerStructure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe.exeà**Ø fï<0åÑ  «Ö& FÑ!5+ €fï<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\ManagedDeveloper.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe)@Ø**ð!fï<0åÑ  «Ö& Fç!5+ €fï<0åÑ,!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ²F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedConstructor.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeA;Dð**Ø"fï<0åÑ  «Ö& FÑ!5+ €fï<0åÑ,"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerCommand.rldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\WØ**Ð#fï<0åÑ  «Ö& FË!5+ €fï<0åÑ,#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  –F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\blockSoftware.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\Ð**à$fï<0åÑ  «Ö& FÕ!5+ €fï<0åÑ,$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\structureProcedure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exePçà**è%ÆP!<0åÑ  «Ö& Fá!5+ €ÆP!<0åÑ,%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedOperator.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe„Txè**À&ÆP!<0åÑ  «Ö& F¹!5+ €ÆP!<0åÑ,&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\task.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe*À**Ð'ÆP!<0åÑ  «Ö& FË!5+ €ÆP!<0åÑ,'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  –F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\structureList.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDÐ**È(ÆP!<0åÑ  «Ö& FÃ!5+ €ÆP!<0åÑ,(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\structure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exenÈ**Ø)ÆP!<0åÑ  «Ö& FÍ!5+ €ÆP!<0åÑ,)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˜F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineSoftware.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\WinØ**Ð*ÆP!<0åÑ  «Ö& FÉ!5+ €ÆP!<0åÑ,*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\shellExecute.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÐ**À+'²#<0åÑ  «Ö& F¹!5+ €'²#<0åÑ,+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.xsxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeýÿ;À**à,'²#<0åÑ  «Ö& FÛ!5+ €'²#<0åÑ,,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedEvent.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeeà**À-'²#<0åÑ  «Ö& F¹!5+ €'²#<0åÑ,-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.rldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exechÀ**À.'²#<0åÑ  «Ö& F¹!5+ €'²#<0åÑ,.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\base.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exereÀ**à/'²#<0åÑ  «Ö& FÕ!5+ €'²#<0åÑ,/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerReference.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWindà**Ø0'²#<0åÑ  «Ö& FÏ!5+ €'²#<0åÑ,0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\troubleshooting.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeØ**À1'²#<0åÑ  «Ö& F»!5+ €'²#<0åÑ,1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\ITPro.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe<À**È2‡&<0åÑ  «Ö& F¿!5+ €‡&<0åÑ,2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŠF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\command.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**Ð3‡&<0åÑ  «Ö& FÉ!5+ €‡&<0åÑ,3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\conditionSet.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeRAÐ**à4‡&<0åÑ  «Ö& FÛ!5+ €‡&<0åÑ,4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedField.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exesà**ð5‡&<0åÑ  «Ö& Fç!5+ €‡&<0åÑ,5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ²F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedEnumeration.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe.0\ð**Ø6‡&<0åÑ  «Ö& FÓ!5+ €‡&<0åÑ,6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  žF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\structureGlossary.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe$Ø**Ð7‡&<0åÑ  «Ö& FÇ!5+ €‡&<0åÑ,7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ’F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\blockCommon.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeAudÐing%–„TxT”I¥º>;(à S  «Ö& F5+ €çt(<0åÑ,8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b» WORKGROUPçSecurityFElfChnk8–8–€ðû¨þ(á¿ó¦õ6gâóè =Î÷²›f?øm©MFº&»**8 8çt(<0åÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! Fƒ!5+ €çt(<0åÑ,8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   ŠF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\endUser.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe:A8 **È9çt(<0åÑ  «Ö& FÃ!5+ €çt(<0åÑ,9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml_HTML.xslS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetÈ**è:çt(<0åÑ  «Ö& Fá!5+ €çt(<0åÑ,:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedProperty.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exestè**À;GÖ*<0åÑ  «Ö& F»!5+ €GÖ*<0åÑ,;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\en-US\powershell.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÀ**À<GÖ*<0åÑ  «Ö& F·!5+ €GÖ*<0åÑ,<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\en-US\PSEvents.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÀ**À=È[4<0åÑ  «Ö& F·!5+ €È[4<0åÑ,=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\en-US\default.help.txtS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSysÀ**È>‰9<0åÑ  «Ö& FÃ!5+ €‰9<0åÑ,>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\en-US\pspluginwkr-v3.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeeÈ**À?Já=<0åÑ  «Ö& F·!5+ €Já=<0åÑ,?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\en-US\pwrshmsg.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSDeÀ**Ð@ªB@<0åÑ  «Ö& FÉ!5+ €ªB@<0åÑ,@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\en\powershell_ise.resources.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeitÐ**€AªB@<0åÑ  «Ö& Fu!5+ €ªB@<0åÑ,AMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\System32\WindowsPowerShell\v1.0\Examples\profile.ps1S:AI@ C:\Windows\System32\poqexec.exeWind€**°BªB@<0åÑ  «Ö& F«!5+ €ªB@<0åÑ,BMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\PolicyDefinitions\PowerShellExecutionPolicy.admxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe°**°CªB@<0åÑ  «Ö& F§!5+ €ªB@<0åÑ,CMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\PolicyDefinitions\WindowsRemoteManagement.admxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exem1°**¸D ¤B<0åÑ  «Ö& F³!5+ € ¤B<0åÑ,DMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\PolicyDefinitions\en-US\WindowsRemoteManagement.admlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exea¸**ÀE ¤B<0åÑ  «Ö& F·!5+ € ¤B<0åÑ,EMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\PolicyDefinitions\en-US\PowerShellExecutionPolicy.admlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeROUÀ**¨F ¤B<0åÑ  «Ö& F£!5+ € ¤B<0åÑ,FMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\PolicyDefinitions\en-US\EventForwarding.admlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exed¨**°G ¤B<0åÑ  «Ö& F©!5+ € ¤B<0åÑ,GMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  tF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\PolicyDefinitions\en-US\WindowsRemoteShell.admlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exedo°**€HjE<0åÑ  «Ö& Fw!5+ €jE<0åÑ,HMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\Migration\WTR\wmf3.infS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exece\€**ˆIjE<0åÑ  «Ö& Fƒ!5+ €jE<0åÑ,IMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  NF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WSManHTTPConfig.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetˆ**€JjE<0åÑ  «Ö& Fy!5+ €jE<0åÑ,JMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\framedynos.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe„Tx€**xKjE<0åÑ  «Ö& Fq!5+ €jE<0åÑ,KMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WsmSvc.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exewnx**xLjE<0åÑ  «Ö& Fq!5+ €jE<0åÑ,LMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WsmRes.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeoux**€MËfG<0åÑ  «Ö& Fu!5+ €ËfG<0åÑ,MMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wsmplpxy.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSec€**€NËfG<0åÑ  «Ö& F{!5+ €ËfG<0åÑ,NMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\pwrshplugin.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe-€**ØOËfG<0åÑ  «Ö& FÍ!5+ €ËfG<0åÑ,OMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˜F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\Microsoft.Management.Infrastructure.Native.Unmanaged.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeØ**€PËfG<0åÑ  «Ö& Fw!5+ €ËfG<0åÑ,PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrshost.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeyRe€** QËfG<0åÑ  «Ö& F—!5+ €ËfG<0åÑ,QMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  bF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\PSModuleDiscoveryProvider.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeowe **xR+ÈI<0åÑ  «Ö& Fo!5+ €+ÈI<0åÑ,RMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrm.vbsS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe%–„Txx**xS+ÈI<0åÑ  «Ö& Fs!5+ €+ÈI<0åÑ,SMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wevtfwd.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**pT+ÈI<0åÑ  «Ö& Fi!5+ €+ÈI<0åÑ,TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  4F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\mi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.execep**€U+ÈI<0åÑ  «Ö& Fu!5+ €+ÈI<0åÑ,UMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\framedyn.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeeC:\€**xV+ÈI<0åÑ  «Ö& Fo!5+ €+ÈI<0åÑ,VMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  :F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrs.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeindx**xW+ÈI<0åÑ  «Ö& Fs!5+ €+ÈI<0åÑ,WMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wmidcom.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeox**€X‹)L<0åÑ  «Ö& Fu!5+ €‹)L<0åÑ,XMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrscmd.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDSCR€**€Y‹)L<0åÑ  «Ö& F{!5+ €‹)L<0åÑ,YMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\prvdmofcomp.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeK€**Z‹)L<0åÑ  «Ö& F‰!5+ €‹)L<0åÑ,ZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  TF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wsmanconfig_schema.xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeos**€[‹)L<0åÑ  «Ö& F{!5+ €‹)L<0åÑ,[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wsmprovhost.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe:€**€\‹)L<0åÑ  «Ö& Fu!5+ €‹)L<0åÑ,\Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WsmAgent.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeion\€**€]‹)L<0åÑ  «Ö& Fu!5+ €‹)L<0åÑ,]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WsmWmiPl.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeRRA$€**€^ëŠN<0åÑ  «Ö& Fu!5+ €ëŠN<0åÑ,^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrssrv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe-Aud€**x_ëŠN<0åÑ  «Ö& Fs!5+ €ëŠN<0åÑ,_Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\miutils.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**€`ëŠN<0åÑ  «Ö& Fu!5+ €ëŠN<0åÑ,`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\ncobjapi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**€aëŠN<0åÑ  «Ö& Fy!5+ €ëŠN<0åÑ,aMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\mimofcodec.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeow€**xbëŠN<0åÑ  «Ö& Fs!5+ €ëŠN<0åÑ,bMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WsmAuto.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeex**€cëŠN<0åÑ  «Ö& Fw!5+ €ëŠN<0åÑ,cMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbemcomn2.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeowe€**˜dLìP<0åÑ  «Ö& F!5+ €LìP<0åÑ,dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WSManMigrationPlugin.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSec˜**€eLìP<0åÑ  «Ö& Fy!5+ €LìP<0åÑ,eMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  DF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\mibincodec.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe€**€fLìP<0åÑ  «Ö& Fw!5+ €LìP<0åÑ,fMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WsmGCDeps.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¥º>;€**xgLìP<0åÑ  «Ö& Fq!5+ €LìP<0åÑ,gMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  <F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wecapi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**xhLìP<0åÑ  «Ö& Fs!5+ €LìP<0åÑ,hMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wecutil.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exex**˜iLìP<0åÑ  «Ö& F!5+ €LìP<0åÑ,iMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  XF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\Register-CimProvider.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exem32\˜**xj¬MS<0åÑ  «Ö& Fs!5+ €¬MS<0åÑ,jMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  >F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wmitomi.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeRx**€k¬MS<0åÑ  «Ö& Fu!5+ €¬MS<0åÑ,kMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  @F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrsmgr.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeml\d€**ˆl¬MS<0åÑ  «Ö& Fƒ!5+ €¬MS<0åÑ,lMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  NF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\Winrs.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe2ˆ**m¬MS<0åÑ  «Ö& F‡!5+ €¬MS<0åÑ,mMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\wecutil.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSec**¨n¬MS<0åÑ  «Ö& F¡!5+ €¬MS<0åÑ,nMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  lF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\register-cimprovider.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDL¨**o ¯U<0åÑ  «Ö& F‡!5+ € ¯U<0åÑ,oMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\wmitomi.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe¨**˜p ¯U<0åÑ  «Ö& F!5+ € ¯U<0åÑ,pMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ZF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\pwrshplugin.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetin˜**ˆq ¯U<0åÑ  «Ö& F}!5+ € ¯U<0åÑ,qMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\mi.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeåш**r ¯U<0åÑ  «Ö& F…!5+ € ¯U<0åÑ,rMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\wecsvc.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**smX<0åÑ  «Ö& F‡!5+ €mX<0åÑ,sMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\wevtfwd.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe****tmX<0åÑ  «Ö& F…!5+ €mX<0åÑ,tMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\WsmRes.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe\Sys**umX<0åÑ  «Ö& F‡!5+ €mX<0åÑ,uMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  RF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\miutils.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeDWD**°vmX<0åÑ  «Ö& F«!5+ €mX<0åÑ,vMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  vF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\PSModuleDiscoveryProvider.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe°**wmX<0åÑ  «Ö& F…!5+ €mX<0åÑ,wMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\en-US\WsmSvc.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe1.0\**xÍqZ<0åÑ  «Ö& F…!5+ €ÍqZ<0åÑ,xMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\winrm\0409\winrm.iniS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeows\**ˆyÍqZ<0åÑ  «Ö& F}!5+ €ÍqZ<0åÑ,yMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WMIADAP.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeGROUˆ**ˆzÍqZ<0åÑ  «Ö& F!5+ €ÍqZ<0åÑ,zMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\wmiutils.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆ{ÍqZ<0åÑ  «Ö& F!5+ €ÍqZ<0åÑ,{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WmiPrvSE.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeecuˆ**ˆ|ÍqZ<0åÑ  «Ö& F}!5+ €ÍqZ<0åÑ,|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\stdprov.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**€}-Ó\<0åÑ  «Ö& Fw!5+ €-Ó\<0åÑ,}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  BF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\mofd.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exefï<€**ˆ~-Ó\<0åÑ  «Ö& F!5+ €-Ó\<0åÑ,~Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\fastprox.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;WDˆ**€-Ó\<0åÑ  «Ö& F{!5+ €-Ó\<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  FF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\esscli.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exem€**ˆ€-Ó\<0åÑ  «Ö& F!5+ €-Ó\<0åÑ,€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WMICOOKR.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeoweˆ**ˆ4_<0åÑ  «Ö& F!5+ €4_<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WmiApRpl.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeritˆ**ˆ‚4_<0åÑ  «Ö& F}!5+ €4_<0åÑ,‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\wbemsvc.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeFˆ**ˆƒ4_<0åÑ  «Ö& F}!5+ €4_<0åÑ,ƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WinMgmt.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeitinˆ**ˆ„4_<0åÑ  «Ö& F!5+ €4_<0åÑ,„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WsmAgent.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exerosˆ**ˆ…4_<0åÑ  «Ö& F}!5+ €4_<0åÑ,…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  HF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\mofcomp.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**ˆ†4_<0åÑ  «Ö& F!5+ €4_<0åÑ,†Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\wbemprox.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeˆ**˜‡4_<0åÑ  «Ö& F‘!5+ €4_<0åÑ,‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WsmAgentUninstall.mofS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe2\˜**ˆˆî•a<0åÑ  «Ö& F!5+ €î•a<0åÑ,ˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  JF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\WmiDcPrv.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeCRPˆ**‰î•a<0åÑ  «Ö& F…!5+ €î•a<0åÑ,‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  PF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\xml\wmi2xml.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexsx**˜Šî•a<0åÑ  «Ö& F“!5+ €î•a<0åÑ,ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exee˜**˜‹î•a<0åÑ  «Ö& F‘!5+ €î•a<0åÑ,‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\en-US\WinMgmt.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exes\˜**ŒN÷c<0åÑ  «Ö& F‹!5+ €N÷c<0åÑ,ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  VF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\en-US\mofd.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**˜N÷c<0åÑ  «Ö& F“!5+ €N÷c<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ^F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\en-US\WmiApRpl.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeL˜**˜ŽN÷c<0åÑ  «Ö& F‘!5+ €N÷c<0åÑ,ŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  \F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\wbem\en-US\mofcomp.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe ˜**¨N÷c<0åÑ  «Ö& F!5+ €N÷c<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  hF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\migration\WMIMigrationPlugin.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeg%–„Tx¨**¨N÷c<0åÑ  «Ö& F£!5+ €N÷c<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshmsg.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exey¨**°‘N÷c<0åÑ  «Ö& F§!5+ €N÷c<0åÑ,‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeind°**¸’®Xf<0åÑ  «Ö& F¯!5+ €®Xf<0åÑ,’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeMi¸**°“®Xf<0åÑ  «Ö& F§!5+ €®Xf<0åÑ,“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  rF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe°**È”®Xf<0åÑ  «Ö& F½!5+ €®Xf<0åÑ,”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˆF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.configS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**¸•®Xf<0åÑ  «Ö& F±!5+ €®Xf<0åÑ,•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  |F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Event.Format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÖ&¸**¸–ºh<0åÑ  «Ö& F¯!5+ €ºh<0åÑ,–Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  zF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\pspluginwkr-v3.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe%–„Tx¸º>;(à S  «Ö&  «Ö& F €çt5+ €ºh<0åÑ,—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b» PçSecurityFElfChnk—ë—뀀ý¨ÿzZÀòwú?âóè =|èÎ÷²›fKè?øyç©MFºÖä&÷£ò$軫ê** —ºh<0åÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! Fg!5+ €ºh<0åÑ,—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»TØ®b¨ãb]Áh˺‘¬ÿÿ âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != ObjectServer Aÿÿ+ = ObjectType Aÿÿ+ = ObjectName Aÿÿ' =HandleId Aÿÿ! =OldSd Aÿÿ! =NewSd Aÿÿ) = ProcessId Aÿÿ- = ProcessName   nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe2\po **¸˜ºh<0åÑ  «Ö& F³!5+ €ºh<0åÑ,˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exey¸**¨™ºh<0åÑ  «Ö& F£!5+ €ºh<0åÑ,™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  nF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\PSEvents.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeP¨**°šºh<0åÑ  «Ö& F©!5+ €ºh<0åÑ,šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  tF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\pspluginwkr.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSA°**(›ok<0åÑ  «Ö& F#!5+ €ok<0åÑ,›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  îF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exec(**Øœok<0åÑ  «Ö& FÏ!5+ €ok<0åÑ,œMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**Ø**ok<0åÑ  «Ö& F !5+ €ok<0åÑ,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÖF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe**0žok<0åÑ  «Ö& F'!5+ €ok<0åÑ,žMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  òF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exews-0**øŸÏ|m<0åÑ  «Ö& Fñ!5+ €Ï|m<0åÑ,ŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¼F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.Format.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe„Txø**è Ï|m<0åÑ  «Ö& Fß!5+ €Ï|m<0åÑ, Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ªF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**ø¡Ï|m<0åÑ  «Ö& Fï!5+ €Ï|m<0åÑ,¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ºF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.types.ps1xmlS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeritø**¸¢Ï|m<0åÑ  «Ö& F³!5+ €Ï|m<0åÑ,¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exel¸**¸£Ï|m<0åÑ  «Ö& F³!5+ €Ï|m<0åÑ,£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ~F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exel¸** ¤Ï|m<0åÑ  «Ö& F!5+ €Ï|m<0åÑ,¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  âF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeard ** ¥Ï|m<0åÑ  «Ö& F!5+ €Ï|m<0åÑ,¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  âF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWin **¦/Þo<0åÑ  «Ö& F!5+ €/Þo<0åÑ,¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ÚF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe** §/Þo<0åÑ  «Ö& F!5+ €/Þo<0åÑ,§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  æF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exec **Ш/Þo<0åÑ  «Ö& FÉ!5+ €/Þo<0åÑ,¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ProviderHelp.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÐ**È©/Þo<0åÑ  «Ö& FÁ!5+ €/Þo<0åÑ,©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŒF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineUi.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeitÈ**èª/Þo<0åÑ  «Ö& Fã!5+ €/Þo<0åÑ,ªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ManagedDeveloperStructure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;è**è«?r<0åÑ  «Ö& Fã!5+ €?r<0åÑ,«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedStructure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexè**è¬?r<0åÑ  «Ö& Fã!5+ €?r<0åÑ,¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedInterface.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**Ø­?r<0åÑ  «Ö& FÏ!5+ €?r<0åÑ,­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\baseConditional.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeØ**È®?r<0åÑ  «Ö& FÁ!5+ €?r<0åÑ,®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŒF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\glossary.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**è¯?r<0åÑ  «Ö& Fã!5+ €?r<0åÑ,¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ®F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedNamespace.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**È°?r<0åÑ  «Ö& FÃ!5+ €?r<0åÑ,°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\hierarchy.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**è±?r<0åÑ  «Ö& FÝ!5+ €?r<0åÑ,±Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¨F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedMethod.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeows\è**À²ð t<0åÑ  «Ö& F»!5+ €ð t<0åÑ,²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\block.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;À**سð t<0åÑ  «Ö& FÑ!5+ €ð t<0åÑ,³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManaged.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeemØ**È´ð t<0åÑ  «Ö& FÃ!5+ €ð t<0åÑ,´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developer.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**صð t<0åÑ  «Ö& FÑ!5+ €ð t<0åÑ,µMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerCommand.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeØ**À¶ð t<0åÑ  «Ö& F·!5+ €ð t<0åÑ,¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\faq.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeft-À**è·ð t<0åÑ  «Ö& FÝ!5+ €ð t<0åÑ,·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¨F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTaskExecution.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe è**ظPw<0åÑ  «Ö& FÏ!5+ €Pw<0åÑ,¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml_HTML_Style.xslS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeRA$Ø**عPw<0åÑ  «Ö& FÍ!5+ €Pw<0åÑ,¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˜F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeOW64Ø**кPw<0åÑ  «Ö& FË!5+ €Pw<0åÑ,ºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  –F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerXaml.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeSÐ**À»Pw<0åÑ  «Ö& F¹!5+ €Pw<0åÑ,»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.tbrS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe2\À**ȼPw<0åÑ  «Ö& F½!5+ €Pw<0åÑ,¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˆF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\inline.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe «Ö&È**è½Pw<0åÑ  «Ö& Fá!5+ €Pw<0åÑ,½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedOverload.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeè**о°cy<0åÑ  «Ö& FÉ!5+ €°cy<0åÑ,¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineCommon.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe„TxÐ**À¿°cy<0åÑ  «Ö& F¹!5+ €°cy<0åÑ,¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe»À**àÀ°cy<0åÑ  «Ö& FÛ!5+ €°cy<0åÑ,ÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedClass.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe$à**èÁ°cy<0åÑ  «Ö& Fá!5+ €°cy<0åÑ,ÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedDelegate.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exei.è**à°cy<0åÑ  «Ö& FÕ!5+ €°cy<0åÑ,ÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerStructure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe:\Wià**Øðcy<0åÑ  «Ö& FÑ!5+ €°cy<0åÑ,ÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ManagedDeveloper.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe*Ø**ðÄ°cy<0åÑ  «Ö& Fç!5+ €°cy<0åÑ,ÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ²F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedConstructor.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeð**ØÅÅ{<0åÑ  «Ö& FÑ!5+ €Å{<0åÑ,ÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  œF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerCommand.rldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeudØ**ÐÆÅ{<0åÑ  «Ö& FË!5+ €Å{<0åÑ,ÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  –F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\blockSoftware.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÐ**àÇÅ{<0åÑ  «Ö& FÕ!5+ €Å{<0åÑ,ÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureProcedure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeRRA$à**èÈÅ{<0åÑ  «Ö& Fá!5+ €Å{<0åÑ,ÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedOperator.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exendè**ÀÉÅ{<0åÑ  «Ö& F¹!5+ €Å{<0åÑ,ÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\task.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeshÀ**ÐÊÅ{<0åÑ  «Ö& FË!5+ €Å{<0åÑ,ÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  –F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureList.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeCÐ**ÈËq&~<0åÑ  «Ö& FÃ!5+ €q&~<0åÑ,ËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structure.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeoÈ**ØÌq&~<0åÑ  «Ö& FÍ!5+ €q&~<0åÑ,ÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ˜F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineSoftware.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exetØ**ÐÍq&~<0åÑ  «Ö& FÉ!5+ €q&~<0åÑ,ÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\shellExecute.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÐ**ÀÎq&~<0åÑ  «Ö& F¹!5+ €q&~<0åÑ,ÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.xsxS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÀ**àÏq&~<0åÑ  «Ö& FÛ!5+ €q&~<0åÑ,ÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedEvent.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe-à**ÀÐq&~<0åÑ  «Ö& F¹!5+ €q&~<0åÑ,ÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.rldS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeinÀ**ÀÑq&~<0åÑ  «Ö& F¹!5+ €q&~<0åÑ,ÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  „F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\base.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe»À**àÒч€<0åÑ  «Ö& FÕ!5+ €Ñ‡€<0åÑ,ÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»   F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerReference.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeIIOFà**ØÓч€<0åÑ  «Ö& FÏ!5+ €Ñ‡€<0åÑ,ÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  šF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\troubleshooting.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exews\Ø**ÀÔч€<0åÑ  «Ö& F»!5+ €Ñ‡€<0åÑ,ÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ITPro.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÀ**ÈÕч€<0åÑ  «Ö& F¿!5+ €Ñ‡€<0åÑ,ÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŠF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\command.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe;WDÈ**ÐÖч€<0åÑ  «Ö& FÉ!5+ €Ñ‡€<0åÑ,ÖMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\conditionSet.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exexeÐ**à×ч€<0åÑ  «Ö& FÛ!5+ €Ñ‡€<0åÑ,×Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¦F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedField.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeà**ðØ2é‚<0åÑ  «Ö& Fç!5+ €2é‚<0åÑ,ØMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ²F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedEnumeration.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exews-ð**ØÙ2é‚<0åÑ  «Ö& FÓ!5+ €2é‚<0åÑ,ÙMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  žF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureGlossary.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeØ**ÐÚ2é‚<0åÑ  «Ö& FÇ!5+ €2é‚<0åÑ,ÚMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ’F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\blockCommon.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeIN-Ð**ÈÛ2é‚<0åÑ  «Ö& F¿!5+ €2é‚<0åÑ,ÛMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŠF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\endUser.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeritÈ**ÈÜ2é‚<0åÑ  «Ö& FÃ!5+ €2é‚<0åÑ,ÜMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml_HTML.xslS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeoÈ**èÝ2é‚<0åÑ  «Ö& Fá!5+ €2é‚<0åÑ,ÝMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ¬F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\developerManagedProperty.xsdS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeWDè**ÀÞ’J…<0åÑ  «Ö& F»!5+ €’J…<0åÑ,ÞMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  †F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\powershell.exe.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exesÀ**Àßò«‡<0åÑ  «Ö& F·!5+ €ò«‡<0åÑ,ßMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\PSEvents.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exe‰À**Ààs1‘<0åÑ  «Ö& F·!5+ €s1‘<0åÑ,àMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txtS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÀ**ÈáÓ’“<0åÑ  «Ö& FÃ!5+ €Ó’“<0åÑ,áMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ŽF>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\pspluginwkr-v3.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeÈ**Àâô¶š<0åÑ  «Ö& F·!5+ €ô¶š<0åÑ,âMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ‚F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\pwrshmsg.dll.muiS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeŒÀ**Ðãô¶š<0åÑ  «Ö& FÉ!5+ €ô¶š<0åÑ,ãMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»  ”F>WIN-03DLIIOFRRA$WORKGROUPçSecurityFileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\powershell_ise.resources.dllS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)@ C:\Windows\System32\poqexec.exeudÐ**àäùM×=0åÑ ê@SÖäê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $yçm5DUserData! u!gL @ùM×=0åÑP° ä T3[$èT3[ÓˆY}É*ë•ÄlJAÿÿ>Kè«'ServiceShutdown F|èNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**PåaL0åÑ  «Ö& F9!0 €aL0åÑxžPèg åMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî«êÝ&ÎîË|Ö Žp)·cîÿÿâiP**¨æatcL0åÑ  «Ö& F‹!1 €atcL0åÑxžPèg æMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁûëï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort   --SYSTEMNT AUTHORITYç-------5+¨**ÈçcvL0åÑ  «Ö& F¯!5& €cvL0åÑxžPèg HçMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ£òºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId tËCLÈ**˜è$B{L0åÑ  «Ö& F!1 €$B{L0åÑxžPèg hèMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁûë " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--AI˜**ðé$B{L0åÑ  «Ö& F×!1@ €$B{L0åÑxžPèg héMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«÷ûë®x«C‚Å“Â-ž:ÿÿ.âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeilð**¨êç“L0åÑ  «Ö& F‘!1 €ç“L0åÑxžPèg hêMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁûë "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--èC:\Windows\System32\services.exe--c¨**(ëç“L0åÑ  «Ö& F !1@ €ç“L0åÑxžPèg hëMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«÷  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegerit( TØ®b» PçSecurityFElfChnkì=ì=€0ûàýs7¾<8§Ýðóè=DŠÎ÷²›fŠ?øA‰©MFºž†&3k’uA쉻1sŒË- ** ì4šL0åÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! FQ!1 €4šL0åÑxžPèg 4ìMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉï:ÚÁ¹öǬr›fË8(¬ÿÿ ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--èC:\Windows\System32\services.exe--0\ **xí4šL0åÑ  «Ö& F[!1@ €4šL0åÑxžPèg 4íMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3É®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegešx**˜îI|¨L0åÑ  «Ö& F!1 €I|¨L0åÑxžPèg 4îMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--ex˜** ïI|¨L0åÑ  «Ö& F…!1@ €I|¨L0åÑxžPèg 4ïMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ð©ÝªL0åÑ  «Ö& F!1 €©ÝªL0åÑxžPèg TðMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜** ñ©ÝªL0åÑ  «Ö& F…!1@ €©ÝªL0åÑxžPèg TñMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegews- **˜òK‡»L0åÑ  «Ö& F!1 €K‡»L0åÑxžPèg 4òMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--Ö&˜** óK‡»L0åÑ  «Ö& F…!1@ €K‡»L0åÑxžPèg 4óMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeity **˜ô¼®N0åÑ  «Ö& F!1 €¼®N0åÑ\Reg TôMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--˜** õ¼®N0åÑ  «Ö& F…!1@ €¼®N0åÑ\Reg TõMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **@öE;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITYºNNtLmSsp NTLM-NTLM V1---t-@**ð÷àFGN0åÑ  «Ö& FÕ!0 €àFGN0åÑ\RegD÷Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Ë- ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPç¦êmN0åÑàFGN0åÑ(C:\Program Files\VMware\VMware Tools\vmtoolsd.exeSheð**ø/M`N0åÑ  «Ö& Fù!5+ €/M`N0åÑ\Reg  øMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»1TØ®b¨ãb]Áh˺‘~ÿÿrðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= ObjectServer Aÿÿ+= ObjectType Aÿÿ+= ObjectName Aÿÿ'=HandleId Aÿÿ!=OldSd Aÿÿ!=NewSd Aÿÿ)= ProcessId Aÿÿ-= ProcessName  "¢^\TWIN-03DLIIOFRRA$WORKGROUPçSecurityKey\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\SafeClientListXS:AI(AU;IDSAFA;KW;;;WD)(AU;CIIOIDSAFA;GW;;;WD)S:PARAI(AU;SAFA;KW;;;WD)(AU;CIIOSAFA;GW;;;WD)€C:\Windows\servicing\TrustedInstaller.exe\**€ùaÂ`N0åÑ  «Ö& Fe!5+ €aÂ`N0åÑ\Reg  ùMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security TØ®b»1 "¤^\TWIN-03DLIIOFRRA$WORKGROUPçSecurityKey\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\AutoRestartList\S:AI(AU;IDSAFA;KW;;;WD)(AU;CIIOIDSAFA;GW;;;WD)S:PARAI(AU;SAFA;KW;;;WD)(AU;CIIOSAFA;GW;;;WD)€C:\Windows\servicing\TrustedInstaller.exe.Po€**˜ú4lN0åÑ  «Ö& F!1 €4lN0åÑ\Reg húMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--it˜** û4lN0åÑ  «Ö& F…!1@ €4lN0åÑ\Reg hûMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeRSD **€üd²QO0åÑ  «Ö& Fy!6{ €d²QO0åÑ düMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 uA;2 @Œ0'¿ºW£cZ–!NÿÿBðAÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ)= TargetSid Aÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList Aÿÿ3%=SamAccountName Aÿÿ+= SidHistory  *  *WinRMRemoteWMIUsers__WIN-03DLIIOFRRAÚÔ.›hVdí:êWIN-03DLIIOFRRA$WORKGROUPç-WinRMRemoteWMIUsers__-€**ðýd²QO0åÑ  «Ö& Fë!6 €d²QO0åÑ dýMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 uA *  WinRMRemoteWMIUsers__WIN-03DLIIOFRRAÚÔ.›hVdí:êWIN-03DLIIOFRRA$WORKGROUPç---ð**ðþÅ`\O0åÑ  «Ö& Fë!6 €Å`\O0åÑ dþMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ;2 uA *  WinRMRemoteWMIUsers__WIN-03DLIIOFRRAÚÔ.›hVdí:êWIN-03DLIIOFRRA$WORKGROUPç---að**pÿ¦)mO0åÑ  «Ö& Fk!1 €¦)mO0åÑ dÿMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--\p**ˆ¦)mO0åÑ  «Ö& Fƒ!1@ €¦)mO0åÑ dMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeDˆ**ˆ‰c\0åÑ  «Ö& Fƒ!1( €‰c\0åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÍO`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostØC:\Windows\System32\winlogon.exe127.0.0.10Rˆ**°‰c\0åÑ  «Ö& F©!1 €‰c\0åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA£² User32 NegotiateWIN-03DLIIOFRRA--ØC:\Windows\System32\winlogon.exe127.0.0.10er°**°‰c\0åÑ  «Ö& F©!1 €‰c\0åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÛ² User32 NegotiateWIN-03DLIIOFRRA--ØC:\Windows\System32\winlogon.exe127.0.0.10\v°**‰c\0åÑ  «Ö& F!1@ €‰c\0åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA£² SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivileged.**p€¤áb0åÑ  «Ö& Fk!1 €€¤áb0åÑ <Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--np**ˆ€¤áb0åÑ  «Ö& Fƒ!1@ €€¤áb0åÑ <Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**pB‡µË;åÑ  «Ö& Fk!1 €B‡µË;åÑ ¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--p**ˆB‡µË;åÑ  «Ö& Fƒ!1@ €B‡µË;åÑ ¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p š`1Å<åÑ  «Ö& Fk!1 €š`1Å<åÑ T Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--p**ˆ š`1Å<åÑ  «Ö& Fƒ!1@ €š`1Å<åÑ T Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p º„8Å<åÑ  «Ö& Fk!1 €º„8Å<åÑ T Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--p**ˆ º„8Å<åÑ  «Ö& Fƒ!1@ €º„8Å<åÑ T Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p (¯JÍ<åÑ  «Ö& Fk!1 €(¯JÍ<åÑ T Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--p**ˆ(¯JÍ<åÑ  «Ö& Fƒ!1@ €(¯JÍ<åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**põ¾Ù_åÑ  «Ö& Fk!1 €õ¾Ù_åÑ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--p**ˆõ¾Ù_åÑ  «Ö& Fƒ!1@ €õ¾Ù_åÑ Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p¶SÃÙ_åÑ  «Ö& Fk!1 €¶SÃÙ_åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--èC:\Windows\System32\services.exe--p**ˆ¶SÃÙ_åÑ  «Ö& Fƒ!1@ €¶SÃÙ_åÑ TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**à+–‚æÑ ê@Sž†ê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $A‰m5DUserData! u!gL @+–‚æÑ<¼ T3[ì‰T3[ÓˆY}É*ë•ÄlJAÿÿ>Š«'ServiceShutdown FDŠNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜Â…G‚æÑ  «Ö& F!1' €Â…G‚æÑÐá TMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NsŒ-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÛ² ˜**PÒVÕajæÑ  «Ö& F9!0 €ÒVÕajæÑS³¾ $Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî ÍOÝ&ÎîË|Ö Žp)·cîÿÿðP**ÒVÕajæÑ  «Ö& Fõ!1 €ÒVÕajæÑS³¾ $Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------**ÈtæajæÑ  «Ö& F¯!5& €tæajæÑS³¾ \Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇk’ºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId cÌÈ**˜õ…ïajæÑ  «Ö& F!1 €õ…ïajæÑS³¾ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** õ…ïajæÑ  «Ö& F…!1@ €õ…ïajæÑS³¾ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨ØwbjæÑ  «Ö& F‘!1 €ØwbjæÑS³¾ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--¨**(ØwbjæÑ  «Ö& F !1@ €ØwbjæÑS³¾ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨YýbjæÑ  «Ö& F!1 €YýbjæÑS³¾ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--¨** YýbjæÑ  «Ö& F !1@ €YýbjæÑS³¾ PMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜;ä#bjæÑ  «Ö& F!1 €;ä#bjæÑS³¾ |Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ;ä#bjæÑ  «Ö& F…!1@ €;ä#bjæÑS³¾ |Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜ ›E&bjæÑ  «Ö& F!1 €›E&bjæÑS³¾ P Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** !›E&bjæÑ  «Ö& F…!1@ €›E&bjæÑS³¾ P!Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜"Gk¶cjæÑ  «Ö& F!1 €Gk¶cjæÑ\Reg P"Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** #Gk¶cjæÑ  «Ö& F…!1@ €Gk¶cjæÑ\Reg P#Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3 &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **$‘U'djæÑ  «Ö& F!1 €‘U'djæÑ |$Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --ANONYMOUS LOGONNT AUTHORITYNUNtLmSsp NTLM-NTLM V1---**ø%@adjæÑ  «Ö& Fó!0 €@adjæÑ0%Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Ë-  bWIN-03DLIIOFRRA$WORKGROUPç’Š3djæÑ@adjæÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeø**p&[­ djæÑ  «Ö& Fk!1 €[­ djæÑ P&Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ'[­ djæÑ  «Ö& Fƒ!1@ €[­ djæÑ P'Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p(w5ejæÑ  «Ö& Fk!1 €w5ejæÑ |(Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ)w5ejæÑ  «Ö& Fƒ!1@ €w5ejæÑ |)Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`*nRÑljæÑ  «Ö& FW!1( €nRÑljæÑ D*Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÍO  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostìC:\Windows\System32\winlogon.exe127.0.0.10`**°+nRÑljæÑ  «Ö& F©!1 €nRÑljæÑ D+Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA‚ÔUser32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10°**°,nRÑljæÑ  «Ö& F©!1 €nRÑljæÑ D,Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÁÔUser32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10°**-nRÑljæÑ  «Ö& F!1@ €nRÑljæÑ D-Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA‚ÔSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**p.• YsjæÑ  «Ö& Fk!1 €• YsjæÑ h.Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ/• YsjæÑ  «Ö& Fƒ!1@ €• YsjæÑ h/Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p0¢¢€&næÑ  «Ö& Fk!1 €¢¢€&næÑ D0Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ1¢¢€&næÑ  «Ö& Fƒ!1@ €¢¢€&næÑ D1Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p2#(Š&næÑ  «Ö& Fk!1 €#(Š&næÑ D2Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ3#(Š&næÑ  «Ö& Fƒ!1@ €#(Š&næÑ D3Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p4C9”næÑ  «Ö& Fk!1 €C9”næÑ À4Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ5C9”næÑ  «Ö& Fƒ!1@ €C9”næÑ À5Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p6h3….òæÑ  «Ö& Fk!1 €h3….òæÑ \ 6Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ7h3….òæÑ  «Ö& Fƒ!1@ €h3….òæÑ \ 7Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p8(ö‰.òæÑ  «Ö& Fk!1 €(ö‰.òæÑ D8Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ9(ö‰.òæÑ  «Ö& Fƒ!1@ €(ö‰.òæÑ D9Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ø:’>‰$óéÑ  «Ö& Fó!0 €’>‰$óéÑ8:Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…Ë-  bWIN-03DLIIOFRRA$WORKGROUPç’ï F¥çÑ0Òs$óéÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeø**`;0™~óéÑ  «Ö& FW!1( €0™~óéÑ D;Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/skÍO  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostìC:\Windows\System32\winlogon.exe127.0.0.10`**°<0™~óéÑ  «Ö& F©!1 €0™~óéÑ D<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA„”°User32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10°**°=0™~óéÑ  «Ö& F©!1 €0™~óéÑ D=Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA’”°User32 NegotiateWIN-03DLIIOFRRA--ìC:\Windows\System32\winlogon.exe127.0.0.10°  «Ö& F1@ €0™~óéÑ D>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«3ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA„”°ElfChnk>™>™€àü þÏ©_®È(>âóè =VøDÎzù²›f?øA©MFºž&[ /øìsƒF•V**8 >0™~óéÑ  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! F!1@ €0™~óéÑ D>Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»®x«C‚Å“Â-žhÿÿ\âD‚ EventDataAÿÿE ΊoData%=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= PrivilegeList ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA„”°SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege=8 **À?0™~óéÑ  «Ö& F·!1 €0™~óéÑ D?Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjE ˜gèjn‡-P‹ÿv‘‹*ÿÿâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA’”°ervÀ**€@0™~óéÑ  «Ö& Fu!1 €0™~óéÑ ì@Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèjE ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA„”°S€**àAºxEóéÑ ê@Sžê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $Am5DUserData! u!gL @ºxEóéÑTA T3[ìT3[ÓˆY}É*ë•ÄlJAÿÿ>«'ServiceShutdown FDNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**˜B£èœóéÑ  «Ö& F!1' €£èœóéÑÐÝÄ p BMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Ns-{NŽ¯EßÄ•34èɦúÿÿîâAÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId   ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAÁÔeg˜**PCëvºôéÑ  «Ö& F9!0 €ëvºôéÑ@ß CMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî Ý&ÎîË|Ö Žp)·cîÿÿâP**¨DKؼôéÑ  «Ö& F‹!1 €KؼôéÑ@ß DMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[»ï:ÚÁ¹öǬr›fË8(~ÿÿrâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ1 #= TargetUserSid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ1 #= TargetLogonId Aÿÿ) = LogonType Aÿÿ7 )=LogonProcessName AÿÿI ;=AuthenticationPackageName Aÿÿ5 '=WorkstationName Aÿÿ) = LogonGuid Aÿÿ= /=TransmittedServices Aÿÿ1 #= LmPackageName Aÿÿ) = KeyLength Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort   --SYSTEMNT AUTHORITYç-------y-Au¨**ÈEMãÏôéÑ  «Ö& F¯!5& €MãÏôéÑ@ßXEMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ ºìÇ'1°—`A—–—ù tÿÿhâAÿÿ' =PuaCount Aÿÿ- = PuaPolicyId …ˇ»LÈ**˜F®DÒôéÑ  «Ö& F!1 €®DÒôéÑ@ßxFMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--es˜** G®DÒôéÑ  «Ö& F…!1@ €®DÒôéÑ@ßxGMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege¼®N **¨H1ÕîôéÑ  «Ö& F‘!1 €1ÕîôéÑ@ßxHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--àC:\Windows\System32\services.exe--v¨**(I1ÕîôéÑ  «Ö& F !1@ €1ÕîôéÑ@ßxIMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege(**¨J²ZøôéÑ  «Ö& F!1 €²ZøôéÑ@ßxJMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--àC:\Windows\System32\services.exe--erN¨** K²ZøôéÑ  «Ö& F !1@ €²ZøôéÑ@ßxKMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegev **˜L3àôéÑ  «Ö& F!1 €3àôéÑ@ßxLMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--˜** M3àôéÑ  «Ö& F…!1@ €3àôéÑ@ßxMMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege** **˜Nô¢ôéÑ  «Ö& F!1 €ô¢ôéÑ@ßdNMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--IO˜** Oô¢ôéÑ  «Ö& F…!1@ €ô¢ôéÑ@ßdOMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege«Ö& **˜P‚ 2ôéÑ  «Ö& F!1 €‚ 2ôéÑ\RegLPMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--iv˜** Q‚ 2ôéÑ  «Ö& F…!1@ €‚ 2ôéÑ\RegLQMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegetLo **@R¬T›ôéÑ  «Ö& F'!1 €¬T›ôéÑ\RegxRMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    --ANONYMOUS LOGONNT AUTHORITYŸRNtLmSsp NTLM-NTLM V1---@**ðS eôéÑ  «Ö& FÕ!0 € eôéÑ\Reg4SMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ƒF ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼âAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ/ != PreviousTime Aÿÿ% =NewTime Aÿÿ) = ProcessId Aÿÿ- = ProcessName  "dWIN-03DLIIOFRRA$WORKGROUPçÍõ¢ôéÑ eôéÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exe ð**˜T66œôéÑ  «Ö& F!1 €66œôéÑ\RegtTMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--nd˜** U66œôéÑ  «Ö& F…!1@ €66œôéÑ\RegtUMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeity **pV[H†ôéÑ  «Ö& Fk!1 €[H†ôéÑLVMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--ap**ˆW[H†ôéÑ  «Ö& Fƒ!1@ €[H†ôéÑLWMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**ˆX‹î ôéÑ  «Ö& Fƒ!1( €‹î ôéÑtXMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk•V `/skbðhP3å'vÿÿâAÿÿ3 %=SubjectUserSid Aÿÿ5 '=SubjectUserName Aÿÿ9 +=SubjectDomainName Aÿÿ3 %=SubjectLogonId Aÿÿ) = LogonGuid Aÿÿ3 %=TargetUserName Aÿÿ7 )=TargetDomainName Aÿÿ5 '=TargetLogonGuid Aÿÿ7 )=TargetServerName Aÿÿ+ = TargetInfo Aÿÿ) = ProcessId Aÿÿ- = ProcessName Aÿÿ) = IpAddress Aÿÿ# =IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10Rˆ**°Y‹î ôéÑ  «Ö& F©!1 €‹î ôéÑtYMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAAUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10É°**°Z‹î ôéÑ  «Ö& F©!1 €‹î ôéÑtZMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRACAUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10HO°**[‹î ôéÑ  «Ö& F!1@ €‹î ôéÑt[Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAASeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegety**p\LÞ}ôéÑ  «Ö& Fk!1 €LÞ}ôéÑœ \Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--àC:\Windows\System32\services.exe--yp**ˆ]LÞ}ôéÑ  «Ö& Fƒ!1@ €LÞ}ôéÑœ ]Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeyˆ**x^\»? ôéÑ  «Ö& Fm!1' €\»? ôéÑ@^Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NsÚÔ.›hVdí:èfsirWIN-03DLIIOFRRACAystex**À_&ª ôéÑ ê@Sž !gL @&ª ôéÑLŒ _ T3[ì À**(`P·ø¶ôéÑ  «Ö& F!0 €P·ø¶ôéÑ ß$(`Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî ge(**a°û¶ôéÑ  «Ö& Fõ!1 €°û¶ôéÑ ß$(aMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --SYSTEMNT AUTHORITYç-------**@bR ·ôéÑ  «Ö& F#!5& €R ·ôéÑ ß$XbMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ íËIIOF@**˜c…·ôéÑ  «Ö& F!1 €…·ôéÑ ß$TcMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--bP˜** d…·ôéÑ  «Ö& F…!1@ €…·ôéÑ ß$TdMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeNT  **¨eWØ1·ôéÑ  «Ö& F‘!1 €WØ1·ôéÑ ß$TeMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--äC:\Windows\System32\services.exe--T¨**(fWØ1·ôéÑ  «Ö& F !1@ €WØ1·ôéÑ ß$TfMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeMi(**¨gØ];·ôéÑ  «Ö& F!1 €Ø];·ôéÑ ß$TgMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--äC:\Windows\System32\services.exe--Aud¨** hØ];·ôéÑ  «Ö& F !1@ €Ø];·ôéÑ ß$ThMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegei **˜i¹DG·ôéÑ  «Ö& F!1 €¹DG·ôéÑ ß$€iMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--te˜** j¹DG·ôéÑ  «Ö& F…!1@ €¹DG·ôéÑ ß$€jMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegenme **˜k¦I·ôéÑ  «Ö& F!1 €¦I·ôéÑ ß$TkMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--FΘ** l¦I·ôéÑ  «Ö& F…!1@ €¦I·ôéÑ ß$TlMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeà Se **˜m°0™¸ôéÑ  «Ö& F!1 €°0™¸ôéÑ\Reg$HmMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--Se˜** n°0™¸ôéÑ  «Ö& F…!1@ €°0™¸ôéÑ\Reg$HnMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeA **@oÛ®¹ôéÑ  «Ö& F'!1 €Û®¹ôéÑ\Reg$HoMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    --ANONYMOUS LOGONNT AUTHORITYSNtLmSsp NTLM-NTLM V1---@**˜p¨T¹ôéÑ  «Ö& F!1 €¨T¹ôéÑ\Reg$HpMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--cb˜** q¨T¹ôéÑ  «Ö& F…!1@ €¨T¹ôéÑ\Reg$HqMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **præš9ºôéÑ  «Ö& Fk!1 €æš9ºôéÑ$HrMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--ep**ˆsæš9ºôéÑ  «Ö& Fƒ!1@ €æš9ºôéÑ$HsMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`t+a3õôéÑ  «Ö& FW!1( €+a3õôéÑ$HtMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk•V  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostC:\Windows\System32\winlogon.exe127.0.0.10`**°u+a3õôéÑ  «Ö& F©!1 €+a3õôéÑ$HuMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAóëUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10°**°v+a3õôéÑ  «Ö& F©!1 €+a3õôéÑ$HvMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA+ìUser32 NegotiateWIN-03DLIIOFRRA--C:\Windows\System32\winlogon.exe127.0.0.10nm°**w+a3õôéÑ  «Ö& F!1@ €+a3õôéÑ$HwMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAóëSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeE&b**px} úôéÑ  «Ö& Fk!1 €} úôéÑ$TxMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--up**ˆy} úôéÑ  «Ö& Fƒ!1@ €} úôéÑ$TyMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege\ˆ**pz²·áTõéÑ  «Ö& Fk!1 €²·áTõéÑ$dzMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--äC:\Windows\System32\services.exe--Sp**ˆ{²·áTõéÑ  «Ö& Fƒ!1@ €²·áTõéÑ$d{Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegedˆ**ø|ÃÎgªûéÑ  «Ö& Fó!0 €ÃÎgªûéÑ4|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ƒF  bWIN-03DLIIOFRRA$WORKGROUPç`· õéÑÀÃTªûéÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exedø**ø}’¸ÉæëÑ  «Ö& Fó!0 €’¸ÉæëÑ<}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ƒF  bWIN-03DLIIOFRRA$WORKGROUP瀑šyüéÑð¹æëÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeø**À~ªC’2æëÑ ê@Sž !gL @ªC’2æëÑTl ~ T3[ìÀ**ˆ< 2æëÑ  «Ö& Fm!1' €< 2æëÑ\Reg$¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Ns  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA+ìiviˆ**(€ǺÐÓg¢Ò  «Ö& F!0 €ÇºÐÓg¢Ò Þi€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî  (**‰ˆèÓg¢Ò  «Ö& Fõ!1 €‰ˆèÓg¢Ò ÞiMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --SYSTEMNT AUTHORITYç-------ORK**@‚ò³Õg¢Ò  «Ö& F#!5& €ò³Õg¢Ò ÞiX‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ …ÆF@**˜ƒ…tïÕg¢Ò  «Ö& F!1 €…tïÕg¢Ò Þi|ƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ri˜** „…tïÕg¢Ò  «Ö& F…!1@ €…tïÕg¢Ò Þi|„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeind **¨…!~ÝÖg¢Ò  «Ö& F‘!1 €!~ÝÖg¢Ò Þi|…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe---¨**(†!~ÝÖg¢Ò  «Ö& F !1@ €!~ÝÖg¢Ò Þi|†Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege«Ö&(**¨‡'Ÿ×g¢Ò  «Ö& F!1 €'Ÿ×g¢Ò Þi\‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--e ¨** ˆ'Ÿ×g¢Ò  «Ö& F !1@ €'Ÿ×g¢Ò Þi\ˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeA **˜‰ù¹³×g¢Ò  «Ö& F!1 €ù¹³×g¢Ò Þi\‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--er˜** Šù¹³×g¢Ò  «Ö& F…!1@ €ù¹³×g¢Ò Þi\ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜‹Y¶×g¢Ò  «Ö& F!1 €Y¶×g¢Ò Þi\‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Pr˜** ŒY¶×g¢Ò  «Ö& F…!1@ €Y¶×g¢Ò Þi\ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeexe **p§wçg¢Ò  «Ö& Fk!1 €§wçg¢Ò<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- p**ˆŽ§wçg¢Ò  «Ö& Fƒ!1@ €§wçg¢Ò<ŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**•êg¢Ò  «Ö& F!1 €•êg¢ÒHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --ANONYMOUS LOGONNT AUTHORITY,DNtLmSsp NTLM-NTLM V1---r**`š¦íg¢Ò  «Ö& FW!1( €š¦íg¢Ò<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk•V  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostàC:\Windows\System32\winlogon.exe127.0.0.10%–„Tx`**°‘š¦íg¢Ò  «Ö& F©!1 €š¦íg¢Ò<‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA“User32 NegotiateWIN-03DLIIOFRRA--àC:\Windows\System32\winlogon.exe127.0.0.10$°**°’š¦íg¢Ò  «Ö& F©!1 €š¦íg¢Ò<’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAË“User32 NegotiateWIN-03DLIIOFRRA--àC:\Windows\System32\winlogon.exe127.0.0.10°**“š¦íg¢Ò  «Ö& F!1@ €š¦íg¢Ò<“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA“SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege„Tx**p”6žoúg¢Ò  «Ö& Fk!1 €6žoúg¢Ò\”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- p**ˆ•6žoúg¢Ò  «Ö& Fƒ!1@ €6žoúg¢Ò\•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege-ˆ**(–¨c¼´Ò ê@Sž !eM @¨c¼´ÒP8– 4b|¡/øE 4b|¡¾í}‚ŒÍ™÷è/—QAÿÿEVø 1AuditEventsDroppedæFD/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogÿÿ zù÷¤ÌReason (**(—Çv‚»¼´Ò  «Ö& F!0 €Çv‚»¼´Ò°Ü­—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî ì(**˜ Ê£»¼´Ò  «Ö& Fõ!1 € Ê£»¼´Ò°Ü­˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --SYSTEMNT AUTHORITYç-------**@™ùs8½¼´Ò  «Ö& F#!5& €ùs8½¼´Ò°Ü­X™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ ºÇ@   «Ö& Fin1 €^ë`½¼´Ò°Ü­|šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BElfChnkšÕšÕ€²ˆµ¤C§¹zœÓyðóè=UÎ÷²›fëT?øT©MFºvQ&#«Z•¡ÄTÕOõ=KW** š^ë`½¼´Ò  «Ö& «Ödð¡E¢]W‹¶–AŠMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿÚøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿBF‘;nComputerWIN-03DLIIOFRRAAÿÿB .Security²fLUserID ! FC!1 €^ë`½¼´Ò°Ü­|šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉï:ÚÁ¹öǬr›fË8(¬ÿÿ ðD‚ EventDataAÿÿEΊoData%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType Aÿÿ7)=LogonProcessName AÿÿI;=AuthenticationPackageName Aÿÿ5'=WorkstationName Aÿÿ)= LogonGuid Aÿÿ=/=TransmittedServices Aÿÿ1#= LmPackageName Aÿÿ)= KeyLength Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort  " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- **ð›^ë`½¼´Ò  «Ö& F×!1@ €^ë`½¼´Ò°Ü­|›Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#É®x«C‚Å“Â-ž:ÿÿ.ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ1#= PrivilegeList  &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege3[ð**¨œáü“¾¼´Ò  «Ö& F‘!1 €áü“¾¼´Ò°Ü­|œMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe--A¨**(áü“¾¼´Ò  «Ö& F !1@ €áü“¾¼´Ò°Ü­|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeSec(**¨žk®é¾¼´Ò  «Ö& F!1 €k®é¾¼´Ò°Ü­|žMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--nId¨** Ÿk®é¾¼´Ò  «Ö& F !1@ €k®é¾¼´Ò°Ü­|ŸMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜ Ýg„¿¼´Ò  «Ö& F!1 €Ýg„¿¼´Ò°Ü­x Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ¡Ýg„¿¼´Ò  «Ö& F…!1@ €Ýg„¿¼´Ò°Ü­x¡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegegot **˜¢*‰¿¼´Ò  «Ö& F!1 €*‰¿¼´Ò°Ü­x¢Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ke˜** £*‰¿¼´Ò  «Ö& F…!1@ €*‰¿¼´Ò°Ü­x£Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegevap **ˆ¤H3öá¼´Ò  «Ö& Fƒ!1( €H3öá¼´Ò<¤Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk *`/skbðhP3å'vÿÿðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ)= LogonGuid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ5'=TargetLogonGuid Aÿÿ7)=TargetServerName Aÿÿ+= TargetInfo Aÿÿ)= ProcessId Aÿÿ-= ProcessName Aÿÿ)= IpAddress Aÿÿ#=IpPort   @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostàC:\Windows\System32\winlogon.exe127.0.0.10ˆ**°¥H3öá¼´Ò  «Ö& F©!1 €H3öá¼´Ò<¥Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA!íUser32 NegotiateWIN-03DLIIOFRRA--àC:\Windows\System32\winlogon.exe127.0.0.10ro°**°¦H3öá¼´Ò  «Ö& F©!1 €H3öá¼´Ò<¦Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAOíUser32 NegotiateWIN-03DLIIOFRRA--àC:\Windows\System32\winlogon.exe127.0.0.10ws°**§H3öá¼´Ò  «Ö& F!1@ €H3öá¼´Ò<§Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA!íSeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege**p¨ù²Vì¼´Ò  «Ö& Fk!1 €ù²Vì¼´Òx¨Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆ©ù²Vì¼´Ò  «Ö& Fƒ!1@ €ù²Vì¼´Òx©Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**تpAÉó¼´Ò  «Ö& FÓ!0 €pAÉó¼´Ò4ªMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…õ= ·C…^Å9Ó”ÞÙõ|>¦Èÿÿ¼ðAÿÿ3%=SubjectUserSid Aÿÿ5'=SubjectUserName Aÿÿ9+=SubjectDomainName Aÿÿ3%=SubjectLogonId Aÿÿ/!= PreviousTime Aÿÿ%=NewTime Aÿÿ)= ProcessId Aÿÿ-= ProcessName   bWIN-03DLIIOFRRA$WORKGROUPç9wïó¼´ÒpAÉó¼´ÒHC:\Program Files\VMware\VMware Tools\vmtoolsd.exeØ**«ÿEô¼´Ò  «Ö& F!1 €ÿEô¼´Ò|«Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --ANONYMOUS LOGONNT AUTHORITYê²NtLmSsp NTLM-NTLM V1---P**p¬8®Ñý¼´Ò  «Ö& Fk!1 €8®Ñý¼´Ò\¬Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--1p**ˆ­8®Ñý¼´Ò  «Ö& Fƒ!1@ €8®Ñý¼´Ò\­Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**p®*¶½´Ò  «Ö& Fk!1 €*¶½´Ò<®Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Rp**ˆ¯*¶½´Ò  «Ö& Fƒ!1@ €*¶½´Ò<¯Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**ˆ°f”½´Ò  «Ö& F!1' €f”½´Òx°Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÕO-{NŽ¯EßÄ•34èɦúÿÿîðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAOíSTEˆ**à±–Ø$½´Ò ê@SvQê@SìÿñºùKp|ভAÿÿ¡Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿòøAÿÿ›’F=Microsoft-Windows-EventlogX&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}Az › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSecurityÿÿ(FWIN-03DLIIOFRRAAÿÿ ² $Tm5DUserData! u!gL @–Ø$½´ÒPx± T3[ÄTT3[ÓˆY}É*ë•ÄlJAÿÿ>ëT«'ServiceShutdown FUNwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogà**P²®²¿2½´Ò  «Ö& F9!0 €®²¿2½´Ò€ ²Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&ÎîKW *Ý&ÎîË|Ö Žp)·cîÿÿðP**³®²¿2½´Ò  «Ö& Fõ!1 €®²¿2½´Ò€ ³Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  --SYSTEMNT AUTHORITYç-------res**È´/8É2½´Ò  «Ö& F¯!5& €/8É2½´Ò€ L´Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ«ZºìÇ'1°—`A—–—ù tÿÿhðAÿÿ'=PuaCount Aÿÿ-= PuaPolicyId úÂÈ**˜µ™Ë2½´Ò  «Ö& F!1 €™Ë2½´Ò€ tµMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ¶™Ë2½´Ò  «Ö& F…!1@ €™Ë2½´Ò€ t¶Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **¨·‘¤Þ2½´Ò  «Ö& F‘!1 €‘¤Þ2½´Ò€ p·Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe---¨**(¸‘¤Þ2½´Ò  «Ö& F !1@ €‘¤Þ2½´Ò€ p¸Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege!(**¨¹²Èå2½´Ò  «Ö& F!1 €²Èå2½´Ò€ t¹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--Sys¨** º²Èå2½´Ò  «Ö& F !1@ €²Èå2½´Ò€ tºMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege **˜»Óìì2½´Ò  «Ö& F!1 €Óìì2½´Ò€ t»Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ti˜** ¼Óìì2½´Ò  «Ö& F…!1@ €Óìì2½´Ò€ t¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜½3Nï2½´Ò  «Ö& F!1 €3Nï2½´Ò€ p½Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** ¾3Nï2½´Ò  «Ö& F…!1@ €3Nï2½´Ò€ p¾Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜¿‘â3½´Ò  «Ö& F!1 €‘â3½´Ò\Regt¿Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--˜** À‘â3½´Ò  «Ö& F…!1@ €‘â3½´Ò\RegtÀMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeAud **@Á¸ù24½´Ò  «Ö& F'!1 €¸ù24½´Ò\RegtÁMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    --ANONYMOUS LOGONNT AUTHORITYôKNtLmSsp NTLM-NTLM V1---@**ÂÀM4½´Ò  «Ö& Fõ!0 €ÀM4½´Ò\Reg@ÂMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…õ= "dWIN-03DLIIOFRRA$WORKGROUPç¸ù24½´ÒÀM4½´Ò C:\Program Files\VMware\VMware Tools\vmtoolsd.exe**˜Ãƒß>4½´Ò  «Ö& F!1 €ƒß>4½´Ò\RegpÃMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ri˜** Äƒß>4½´Ò  «Ö& F…!1@ €ƒß>4½´Ò\RegpÄMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«# &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **pÅ6ë5½´Ò  «Ö& Fk!1 €6ë5½´ÒpÅMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- p**ˆÆ6ë5½´Ò  «Ö& Fƒ!1@ €6ë5½´ÒpÆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeˆ**`Çø®i6½´Ò  «Ö& FW!1( €ø®i6½´ÒpÇMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk *  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostèC:\Windows\System32\winlogon.exe127.0.0.10 S`**°Èø®i6½´Ò  «Ö& F©!1 €ø®i6½´ÒpÈMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAä€User32 NegotiateWIN-03DLIIOFRRA--èC:\Windows\System32\winlogon.exe127.0.0.10in°**°Éø®i6½´Ò  «Ö& F©!1 €ø®i6½´ÒpÉMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAUser32 NegotiateWIN-03DLIIOFRRA--èC:\Windows\System32\winlogon.exe127.0.0.10°**Êø®i6½´Ò  «Ö& F!1@ €ø®i6½´ÒpÊMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAä€SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegele**pË U]C½´Ò  «Ö& Fk!1 € U]C½´ÒpËMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÌ U]C½´Ò  «Ö& Fƒ!1@ € U]C½´ÒpÌMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegevˆ**xÍñhAH½´Ò  «Ö& Fm!1' €ñhAH½´ÒPÍMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{NÕOÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAvilex**ÀξoåJ½´Ò  «Ö& F·!1 €¾oåJ½´ÒtÎMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèj•¡˜gèjn‡-P‹ÿv‘‹*ÿÿðAÿÿ1#= TargetUserSid Aÿÿ3%=TargetUserName Aÿÿ7)=TargetDomainName Aÿÿ1#= TargetLogonId Aÿÿ)= LogonType ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAn.eÀ**€Ï¾oåJ½´Ò  «Ö& Fu!1 €¾oåJ½´ÒtÏMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ˜gèj•¡ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAä€@€**`н÷}_½´Ò  «Ö& FW!1( €½÷}_½´ÒtÐMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk *  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhost, C:\Windows\System32\winlogon.exe127.0.0.10ÚÁ[`**°Ñ½÷}_½´Ò  «Ö& F©!1 €½÷}_½´ÒtÑMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAå­User32 NegotiateWIN-03DLIIOFRRA--, C:\Windows\System32\winlogon.exe127.0.0.10»°**°Ò½÷}_½´Ò  «Ö& F©!1 €½÷}_½´ÒtÒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAû­User32 NegotiateWIN-03DLIIOFRRA--, C:\Windows\System32\winlogon.exe127.0.0.10nd°**Ó½÷}_½´Ò  «Ö& F!1@ €½÷}_½´ÒtÓMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAå­SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeHO**pÔ»j†f½´Ò  «Ö& Fk!1 €»j†f½´ÒpÔMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁÉ    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--p**ˆÕ»j†f½´Ò  «Ö& Fƒ!1@ €»j†f½´ÒpÕMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«#  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeOˆTYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegedˆ**ø|ÃÎgªûéÑ  «Ö& Fó!0 €ÃÎgªûéÑ4|Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ƒF  bWIN-03DLIIOFRRA$WORKGROUPç`· õéÑÀÃTªûéÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exedø**ø}’¸ÉæëÑ  «Ö& Fó!0 €’¸ÉæëÑ<}Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security  ·C…ƒF  bWIN-03DLIIOFRRA$WORKGROUP瀑šyüéÑð¹æëÑC:\Program Files\VMware\VMware Tools\vmtoolsd.exeø**À~ªC’2æëÑ ê@Sž !gL @ªC’2æëÑTl ~ T3[ìÀ**ˆ< 2æëÑ  «Ö& Fm!1' €< 2æëÑ\Reg$¼Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security -{Ns  ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA+ìiviˆ**(€ǺÐÓg¢Ò  «Ö& F!0 €ÇºÐÓg¢Ò Þi€Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî  (**‰ˆèÓg¢Ò  «Ö& Fõ!1 €‰ˆèÓg¢Ò ÞiMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --SYSTEMNT AUTHORITYç-------ORK**@‚ò³Õg¢Ò  «Ö& F#!5& €ò³Õg¢Ò ÞiX‚Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ …ÆF@**˜ƒ…tïÕg¢Ò  «Ö& F!1 €…tïÕg¢Ò Þi|ƒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--ri˜** „…tïÕg¢Ò  «Ö& F…!1@ €…tïÕg¢Ò Þi|„Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeind **¨…!~ÝÖg¢Ò  «Ö& F‘!1 €!~ÝÖg¢Ò Þi|…Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ "  BWIN-03DLIIOFRRA$WORKGROUPçNETWORK SERVICENT AUTHORITYäAdvapi Negotiate--C:\Windows\System32\services.exe---¨**(†!~ÝÖg¢Ò  «Ö& F !1@ €!~ÝÖg¢Ò Þi|†Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  œNETWORK SERVICENT AUTHORITYäSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege«Ö&(**¨‡'Ÿ×g¢Ò  «Ö& F!1 €'Ÿ×g¢Ò Þi\‡Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçLOCAL SERVICENT AUTHORITYåAdvapi Negotiate--C:\Windows\System32\services.exe--e ¨** ˆ'Ÿ×g¢Ò  «Ö& F !1@ €'Ÿ×g¢Ò Þi\ˆMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» œLOCAL SERVICENT AUTHORITYåSeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilegeA **˜‰ù¹³×g¢Ò  «Ö& F!1 €ù¹³×g¢Ò Þi\‰Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--er˜** Šù¹³×g¢Ò  «Ö& F…!1@ €ù¹³×g¢Ò Þi\ŠMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege **˜‹Y¶×g¢Ò  «Ö& F!1 €Y¶×g¢Ò Þi\‹Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " BWIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe--Pr˜** ŒY¶×g¢Ò  «Ö& F…!1@ €Y¶×g¢Ò Þi\ŒMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«» &SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeexe **p§wçg¢Ò  «Ö& Fk!1 €§wçg¢Ò<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- p**ˆŽ§wçg¢Ò  «Ö& Fƒ!1@ €§wçg¢Ò<ŽMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilegeeˆ**•êg¢Ò  «Ö& F!1 €•êg¢ÒHMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --ANONYMOUS LOGONNT AUTHORITY,DNtLmSsp NTLM-NTLM V1---r**`š¦íg¢Ò  «Ö& FW!1( €š¦íg¢Ò<Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security `/sk•V  @WIN-03DLIIOFRRA$WORKGROUPçfsirWIN-03DLIIOFRRAlocalhostlocalhostàC:\Windows\System32\winlogon.exe127.0.0.10%–„Tx`**°‘š¦íg¢Ò  «Ö& F©!1 €š¦íg¢Ò<‘Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA“User32 NegotiateWIN-03DLIIOFRRA--àC:\Windows\System32\winlogon.exe127.0.0.10$°**°’š¦íg¢Ò  «Ö& F©!1 €š¦íg¢Ò<’Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  @WIN-03DLIIOFRRA$WORKGROUPçÚÔ.›hVdí:èfsirWIN-03DLIIOFRRAË“User32 NegotiateWIN-03DLIIOFRRA--àC:\Windows\System32\winlogon.exe127.0.0.10°**“š¦íg¢Ò  «Ö& F!1@ €š¦íg¢Ò<“Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»ÚÔ.›hVdí:èfsirWIN-03DLIIOFRRA“SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege„Tx**p”6žoúg¢Ò  «Ö& Fk!1 €6žoúg¢Ò\”Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[    @WIN-03DLIIOFRRA$WORKGROUPçSYSTEMNT AUTHORITYçAdvapi Negotiate--C:\Windows\System32\services.exe-- p**ˆ•6žoúg¢Ò  «Ö& Fƒ!1@ €6žoúg¢Ò\•Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ®x«»  $SYSTEMNT AUTHORITYçSeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege-ˆ**(–¨c¼´Ò ê@Sž !eM @¨c¼´ÒP8– 4b|¡/øE 4b|¡¾í}‚ŒÍ™÷è/—QAÿÿEVø 1AuditEventsDroppedæFD/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogÿÿ zù÷¤ÌReason (**(—Çv‚»¼´Ò  «Ö& F!0 €Çv‚»¼´Ò°Ü­—Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security Ý&Îî ì(**˜ Ê£»¼´Ò  «Ö& Fõ!1 € Ê£»¼´Ò°Ü­˜Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[  --SYSTEMNT AUTHORITYç-------**@™ùs8½¼´Ò  «Ö& F#!5& €ùs8½¼´Ò°Ü­X™Microsoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ºìÇ ºÇ@   «Ö& Fin1 €^ë`½¼´Ò°Ü­|šMicrosoft-Windows-Security-Auditing%–„TxT”I¥º>;(à Security ï:ÚÁ[ " Bpython-evtx-0.7.4/tests/data/system.evtx000066400000000000000000042100001402613732500203360ustar00rootroot00000000000000ElfFileØ4€ ì±´AElfChnk™/©/€ðý0ÿÂQlWå“Ãksh“=ÀÀ~W‘ÀN¸èÑÁñ Âw^¢ æ¿ø…)MÒ:¼_µÒµÖjÀþ"á¡Þ}çƒä»&0§6¢F½¦ ã®—**€/›çg™Í  î*ó& î*ó׬š´øF›ØäÁÐiAÿÿ]Mº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ†øoTSystemAÿÿÙñ{Provider¶F=K•NameMicrosoft-Windows-EventlogŒ)Guid&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}AMúõaEventID'Œ)Ú Qualifiers "N Version wdÎLevelœE{Task ¿®Opcode$æjÏKeywordsAÿÿP;Ž TimeCreated':j<{ SystemTime .hF EventRecordID Aÿÿ…¢ò Correlation\FÆ ñ ActivityIDíú5ÅRelatedActivityIDAÿÿm)¸µ ExecutionHFNÆ × ProcessIDsœ…9ThreadID ÿÿ.ƒaChannelSystemÿÿbÒ;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB; .Security^fLUserID $…í5DUserData! U!ii€›çg™Í44 / (ÊÊD0(ÊÊDŒÆg³Wâµ{€AÿÿtW‘€ AutoBackup F~Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogÿÿ  ÿÿ(¢ 'º BackupPath  –SystemC:\Windows\System32\Winevt\Logs\Archive-System-2012-03-14-04-17-39-932.evtx€** /Šýc™Í S—ÞŦ &S—ÞÅB•”"ó[¥ˆåûAïMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿgøAÿÿôëF=Service Control ManagerFŒ&{555908d1-a6d7-4695-8e1e-26931d2012f4}ñ ;`ÖEventSourceNameService Control ManagerAú  N  w œ ¿ æAÿÿ : h AÿÿFÆíAÿÿ)FNs ÿÿSystemÿÿHÒWKS-WIN764BITB.shieldbase.localAÿÿ; ^ ! `!|@€€Šýc™Í$</ ÞáÜ4DÞáÜ4v¢ä“ú*…M^pâ»ÿÿ¯kD‚ EventDataAÿÿ5“NŠoData=param1 Aÿÿ#“=param2 ÿÿ ù!¸Binary 2&Windows Modules Installerstopped&TrustedInstaller/1, **`/q›Í S—ÞŦ  ±!|@€€q›Í$H/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1,`**`/˶;¥Í S—ÞŦ  ±!|@€€Ë¶;¥Í$„/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4,`**`/K±RO§Í S—ÞŦ  ±!|@€€K±RO§Í$`/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1,`**/älMs­Í S—ÞŦ  o!|@€€älMs­Í$˜/ ÞáÜ4D"Disk Defragmenterrunningdefragsvc/4**/L$dâ­Í S—ÞŦ  o!|@€€L$dâ­Í$˜/ ÞáÜ4D"Disk Defragmenterstoppeddefragsvc/1**`/ü]}¯Í S—ÞŦ  ±!|@€€ü]}¯Í$, / ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`/äÅo˱Í S—ÞŦ  ±!|@€€äÅo˱Í$|/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`/AZ$ÿ¸Í S—ÞŦ  ±!|@€€AZ$ÿ¸Í$Ø/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8/™§ºÍ S—ÞŦ  !|@€€™§ºÍ$/ ÞáÜ4D2&Windows Modules Installerrunning&TrustedInstaller/4.8**0/ÜÞÏ#ºÍ S—ÞŦ   w!€@€€ÜÞÏ#ºÍ$€/ cÒ3cÒ3þœ ©™Î}²F±ôºÿÿ®kAÿÿ#“=param1 Aÿÿ#“=param2 Aÿÿ#“=param3 Aÿÿ#“=param4 NBackground Intelligent Transfer Servicedemand startauto startBITSeb 0**X/rR%ºÍ S—ÞŦ   ¡!€@€€rR%ºÍ$€/ cÒ32 Windows Modules Installerdemand startauto startTrustedInstallerP X**X/ä°Ã.ºÍ S—ÞŦ   ¡!€@€€ä°Ã.ºÍ$€/ cÒ32 Windows Modules Installerauto startdemand startTrustedInstallernHX**X/³Ã†]ºÍ S—ÞŦ   ¡!€@€€³Ã†]ºÍ$¨ / cÒ32 Windows Modules Installerdemand startauto startTrustedInstaller,X**X /z õ_ºÍ S—ÞŦ   ¡!€@€€z õ_ºÍ$¨ / cÒ32 Windows Modules Installerauto startdemand startTrustedInstallerX**(!/õ¡eºÍ ¼"_Ýþ"¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=ŒAú  N  w œ ¿ æAÿÿ : h AÿÿFÆí Aÿÿ)FNs  ÿÿHÒWKS-WIN764BITB.shieldbase.localAÿÿ; ^ !  J ç! €õ¡eºÍ„(!/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&%ö$!R\FC ƒ;úKÀÿÿ´kAÿÿ7“)=schedinstalldate Aÿÿ7“)=schedinstalltime Aÿÿ+“= updatelist 8ª Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518)(**¨"/|‡EfºÍ ¼"_Ýþ"  J “! €|‡EfºÍ„("/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&8. Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440)-W¨**0#/|‡EfºÍ ¼"_Ýþ"  J ! €|‡EfºÍ„(#/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&8º Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440) - Windows Malicious Software Removal Tool x64 - March 2012 (KB890830)ù0**¸$/ Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440) - Windows Malicious Software Removal Tool x64 - March 2012 (KB890830) - Security Update for Windows 7 for x64-based Systems (KB2667402)Ser¸**X%/à'•uºÍ S—ÞŦ   ¡!€@€€à'•uºÍ$%/ cÒ32 Windows Modules Installerdemand startauto startTrustedInstallerryX**X&/¨xºÍ S—ÞŦ   ¡!€@€€¨xºÍ$&/ cÒ32 Windows Modules Installerauto startdemand startTrustedInstallercoX**('/¡Ï$xºÍ ¼"_Ýþ"  J ! €¡Ï$xºÍ„('/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&8° Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440) - Windows Malicious Software Removal Tool x64 - March 2012 (KB890830) - Update for Windows 7 for x64-based Systems (KB2639308) - Security Update for Windows 7 for x64-based Systems (KB2667402)ry(**X(/Yz~ºÍ S—ÞŦ   ¡!€@€€Yz~ºÍ$(/ cÒ32 Windows Modules Installerdemand startauto startTrustedInstallercoX**X)/vÑ €ºÍ S—ÞŦ   ¡!€@€€vÑ €ºÍ$)/ cÒ32 Windows Modules Installerauto startdemand startTrustedInstaller-DX**°*/–ĬˆºÍ ¼"_Ýþ"  J ™! €–ĬˆºÍ„(*/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&84 Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440) - Windows Malicious Software Removal Tool x64 - March 2012 (KB890830) - Update for Windows 7 for x64-based Systems (KB2639308) - Security Update for Windows 7 for x64-based Systems (KB2665364) - Security Update for Windows 7 for x64-based Systems (KB2667402)s Mo°**0+/–ĬˆºÍ ¼"_Ýþ"  J ! €–ĬˆºÍ„(+/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&8¸ Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440) - Windows Malicious Software Removal Tool x64 - March 2012 (KB890830) - Update for Windows 7 for x64-based Systems (KB2639308) - Security Update for Windows 7 for x64-based Systems (KB2665364) - Security Update for Windows 7 for x64-based Systems (KB2667402) - Security Update for Windows 7 for x64-based Systems (KB2641653),0**X,/p}dæ»Í S—ÞŦ   ¡!€@€€p}dæ»Í$,,/ cÒ32 Windows Modules Installerdemand startauto startTrustedInstallerX**X-/лFê»Í S—ÞŦ   ¡!€@€€Ð»Fê»Í$,-/ cÒ32 Windows Modules Installerauto startdemand startTrustedInstallerenX**8./“^ê»Í S—ÞŦ  !|@€€“^ê»Í$,./ ÞáÜ4D2&Windows Modules Installerstopped&TrustedInstaller/1rv8**`//ðžxY¼Í S—ÞŦ  ±!|@€€ðžxY¼Í$( // ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1Win`**`0/.3éÂÍ S—ÞŦ   ¥!€@€€.3éÂÍ$¼ 0/ cÒ3NBackground Intelligent Transfer Serviceauto startdemand startBITS`**`1/¿ìëÉÍ S—ÞŦ  ±!|@€€¿ìëÉÍ$¬ 1/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`2/¥–9ÌÍ S—ÞŦ  ±!|@€€¥–9ÌÍ$\2/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`3//™×Í S—ÞŦ  ±!|@€€/™×Í$ô3/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`4/’U±ëÙÍ S—ÞŦ  ±!|@€€’U±ëÙÍ$L4/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`5/l!ZáÍ S—ÞŦ  ±!|@€€l!ZáÍ$ 5/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`6/W-qmãÍ S—ÞŦ  ±!|@€€W-qmãÍ$Ä6/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`7/añ˜¹ìÍ S—ÞŦ  ±!|@€€añ˜¹ìÍ$ˆ7/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4Web `**`8/»ø§ïÍ S—ÞŦ  ±!|@€€»ø§ïÍ$˜8/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1Web `**09/ŽùÍ ¼"_Ýþ"  J ! €ŽùÍ„t9/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem %ö$!&8¸ Thursday,  March  15,  20123:00 AM - Update Rollup for ActiveX Killbits for Windows 7 for x64-based Systems (KB2647518) - Security Update for Windows 7 for x64-based Systems (KB2621440) - Windows Malicious Software Removal Tool x64 - March 2012 (KB890830) - Update for Windows 7 for x64-based Systems (KB2639308) - Security Update for Windows 7 for x64-based Systems (KB2665364) - Security Update for Windows 7 for x64-based Systems (KB2667402) - Security Update for Windows 7 for x64-based Systems (KB2641653)€“È0**`:/Ï ]ŠûÍ S—ÞŦ  ±!|@€€Ï ]ŠûÍ$X :/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4€€OH`**È;/€Bc¤ûÍ rBøëV]rBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAú  w œ æAÿÿ : h ÿÿSystemÿÿHÒWKS-WIN764BITB.shieldbase.localAÿÿ; ^ ! A!}€€€Bc¤ûÍ;/ FÓì¼_FÓì%g>¶9×{p(é4ÿÿ(k “ ùR€103908960300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.110622-15064cdad221Not AvailableNot Available911024409WKS-WIN764BITB.shieldbase.localtpÈ**`/¶7÷Ì Í S—ÞŦ  ±!|@€€¶7÷Ì Í$,>/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1Http`**`?/ïTfÍ S—ÞŦ  ±!|@€€ïTfÍ$ô ?/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4Http`**`@/F1&´Í S—ÞŦ  ±!|@€€F1&´Í$ì@/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1Http`**`A/õj"Í S—ÞŦ  ±!|@€€õj"Í$ÄA/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4Http`**`B/€€l$Í S—ÞŦ  ±!|@€€€€l$Í$ðB/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1S—ÞÅ&`**`C/FîUk.Í S—ÞŦ  ±!|@€€FîUk.Í$¨C/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`D/Gl¹0Í S—ÞŦ  ±!|@€€Gl¹0Í$ D/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1sÎÍ$`**`E/ÚîQ<Í S—ÞŦ  ±!|@€€ÚîQ<Í$ð E/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4›ÎÍ$`**`F/žŽwk>Í S—ÞŦ  ±!|@€€žŽwk>Í$ôF/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1d`**`G/«µvYKÍ S—ÞŦ  ±!|@€€«µvYKÍ$ G/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4d`**`H/9?§MÍ S—ÞŦ  ±!|@€€9?§MÍ$H/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1d`**`I/ŠÀ@9PÍ S—ÞŦ  ±!|@€€ŠÀ@9PÍ$4 I/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4d`**8J/ZZçXzÍ S—ÞŦ  i!|@€€eù>XzÍ$Ðl/ ÞáÜ4DMcAfee McShieldstoppedMcShield/1al**Øm/®£XzÍ rBøëV] +!v€€®£XzÍm/ FÓì¼_¡dinHØ**(n/EG‹XzÍ S—ÞŦ  !|@€€EG‹XzÍ$n/ ÞáÜ4D.Certificate PropagationstoppedCertPropSvc/1(**ˆo/EG‹XzÍ ¼"_Ýþ"  > o!?gÇ EG‹XzͨÞuÀŸ4to/Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem £JA-㮣JA-un$áke [hg#@ÿÿ4kAÿÿ'“=DwordVal ˆ**0p/EG‹XzÍ ¼"_Ýþ"  : !Euà EG‹XzͨÞu€áu4„p/Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem £JA-㮀€A70**q/EG‹XzÍ S—ÞŦ  Y!|@€€EG‹XzÍ$q/ ÞáÜ4DDHCP ClientstoppedDhcp/1**0r/’n’XzÍ S—ÞŦ  …!|@€€’n’XzÍ$r/ ÞáÜ4D."Diagnostic Service Hoststopped"WdiServiceHost/1*0** s/ú¨ËXzÍ S—ÞŦ  s!|@€€ú¨ËXzÍ$s/ ÞáÜ4D2 Diagnostic Policy Servicestopped DPS/1F= **t/"YzÍ S—ÞŦ  m!|@€€"YzÍ$t/ ÞáÜ4D"Windows Event Logstoppedeventlog/1pS**0u/+0®YzÍ S—ÞŦ  !|@€€+0®YzÍ$u/ ÞáÜ4D4Windows Font Cache ServicestoppedFontCache/1WerS0** v/¾VóYzÍ S—ÞŦ  w!|@€€¾VóYzÍ$v/ ÞáÜ4D,Cryptographic ServicesstoppedCryptSvc/1 **(w/иZzÍ S—ÞŦ  {!|@€€Ð¸ZzÍ$w/ ÞáÜ4D& McAfee Task Managerstopped McTaskManager/1al(**8x/€Ï= {Í rBøëV] ‹!y€€€Ï= {Íx/ FÓì¼_h6.01.7601Service Pack 1Multiprocessor Free17514=8**èy/€Ï= {Í rBøëV] ;!u€€€Ï= {Íy/ FÓì¼_Ü ;è**˜z/€Ï= {Í rBøëV] í!}€€€Ï= {Íz/ FÓì¼_J€24560300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localHa˜**P{/AšZzÍ Ü¸,F½V]ܸ,Ë™ ŸîuJˆ§7j°#AÿÿMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=ŒAú  N  w œ ¿ æAÿÿ : h AÿÿFÆí Aÿÿ)FNs  ÿÿHÒWKS-WIN764BITB.shieldbase.localAÿÿ; ^  …!  2 !b*N€AšZzÍáX˜ {/Microsoft-Windows-UserPnpP ô–1~ÑÁ]ÏInstallSubsystemState ÿÿ>Âù¡ÝCachingSubsystemState    AÿÿP**|/AšZzÍ S—ÞŦ  e!|@€€AšZzÍ$|/ ÞáÜ4DPlug and PlaystoppedPlugPlay/1**ø}/AšZzÍ S—ÞŦ  O!|@€€AšZzÍ$}/ ÞáÜ4D PowerstoppedPower/1ø** ~/ÿ¶¯ZzÍ S—ÞŦ  q!|@€€ÿ¶¯ZzÍ$~/ ÞáÜ4D(User Profile ServicestoppedProfSvc/1 **@/Í¢ÚZzÍ S—ÞŦ  “!|@€€Í¢ÚZzÍ$/ ÞáÜ4DNMicrosoft Software Shadow Copy Providerstoppedswprv/1‘Ê&@**`€/øŽæZzÍ S—ÞŦ  ³!|@€€øŽæZzÍ$€/ ÞáÜ4D`Remote Desktop Services UserMode Port RedirectorstoppedUmRdpService/1ãcTT`**P/ßüZzÍ S—ÞŦ  §!|@€€ßüZzÍ$/ ÞáÜ4DP"McAfee Host Intrusion Prevention Servicestopped"enterceptAgent/1P**‚/ú.[zÍ S—ÞŦ  e!|@€€ú.[zÍ$‚/ ÞáÜ4DSSDP DiscoverystoppedSSDPSRV/1.**0ƒ/.µJ[zÍ S—ÞŦ  ‡!|@€€.µJ[zÍ$ƒ/ ÞáÜ4D@Distributed Link Tracking ClientstoppedTrkWks/1t0**„/.µJ[zÍ S—ÞŦ  o!|@€€.µJ[zÍ$„/ ÞáÜ4D$Credential ManagerstoppedVaultSvc/1n**@…/.µJ[zÍ S—ÞŦ  ‘!|@€€.µJ[zÍ$…/ ÞáÜ4DLDesktop Window Manager Session ManagerstoppedUxSms/1eLoo@**(†/ zO[zÍ S—ÞŦ  !|@€€ zO[zÍ$†/ ÞáÜ4D.Remote Desktop ServicesstoppedTermService/1M(**0‡/Y¡V[zÍ S—ÞŦ  !|@€€Y¡V[zÍ$‡/ ÞáÜ4D8McAfee Firewall Core Servicestoppedmfefire/140** ˆ/Üp[zÍ S—ÞŦ  q!|@€€Üp[zÍ$ˆ/ ÞáÜ4D(VMware Tools ServicestoppedVMTools/1/1 **ȉ/P¸›[zÍ ¼"_Ýþ"  @ ©!€P¸›[zÍáXÐâXìÄ ‰/Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <ÕµÒz <ÕÐ!ö{ôA²»Äjÿÿ^kAÿÿ%“=NewTime Aÿÿ%“=OldTime P¸›[zÍìÇ›[zÍ UÍ$È**Š/¸A¥[zÍ S—ÞŦ  a!|@€€¸A¥[zÍ$Š/ ÞáÜ4DWindows TimestoppedW32Time/1y!**8‹/Æh¬[zÍ S—ÞŦ  !|@€€Æh¬[zÍ$‹/ ÞáÜ4DDWindows Management InstrumentationstoppedWinmgmt/1€Ûu8**Œ/ðÝÁ[zÍ ¼"_Ýþ" <  !gm€ðÝÁ[zÍáXÄÈŒ/Microsoft-Windows-Kernel-Power:;3 ÂD¬^w" 7Ö´System ³ nµÖ³ nÀ {pe£ ÊÜEÐÎÿÿÂkAÿÿ;“-=ShutdownActionType Aÿÿ9“+=ShutdownEventCode Aÿÿ3“%=ShutdownReason **/øŒñ[zÍ S—ÞŦ  e!|@€€øŒñ[zÍ$/ ÞáÜ4DSecurity Centerstoppedwscsvc/1**Ž/hÅ*\zÍ S—ÞŦ  e!|@€€hÅ*\zÍ$Ž/ ÞáÜ4D$ Volume Shadow Copystopped VSS/1**0/’:@\zÍ S—ÞŦ  ƒ!|@€€’:@\zÍ$/ ÞáÜ4D*$VMware Upgrade Helperstopped$VMUpgradeHelper/10**8/˜ z^zÍ S—ÞŦ  !|@€€˜ z^zÍ$/ ÞáÜ4DFOffice Software Protection Platformstoppedosppsvc/18**H‘/b.IbzÍ S—ÞŦ  ›!|@€€b.IbzÍ$‘/ ÞáÜ4DTMcAfee Validation Trust Protection Servicestoppedmfevtp/1€€T€H**€’/öcÀbzÍ ¼"_Ýþ" @ s! €öcÀbzÍáX$’/Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System  %†˜¡Þ %†˜ÜùC»ö¢+Wi4à¸@ÿÿ4kAÿÿ'“=StopTime öcÀbzÍÜ€**`“/²×ôbzÍ S—ÞŦ  ±!|@€€²×ôbzÍ$“/ ÞáÜ4DP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1erst`**ø”/%•{zÍ ¼"_Ýþ"  @ ß! €%•{zÍáX”/Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System /«w‰á/«w‰mU©WFó­ÿ”Š~ÿÿrkAÿÿ/“!= MajorVersion Aÿÿ/“!= MinorVersion Aÿÿ/“!= BuildVersion Aÿÿ+“= QfeVersion Aÿÿ3“%=ServiceVersion Aÿÿ'“=BootMode Aÿÿ)“= StartTime ±?E@‚{zÍø**è•/~€Ø}zÍ ¼"_Ýþ"  > Ñ!€~€Ø}zÍøßX•/Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7ƒä¼w7‘Þ->´v«SZGslÿÿ`kAÿÿ-“= FinalStatus Aÿÿ;“-=DeviceVersionMajor Aÿÿ;“-=DeviceVersionMinor Aÿÿ7“)=DeviceNameLength Aÿÿ+“= DeviceName Aÿÿ+“= DeviceTime FileInfo€¶ÊíðÊ&è**–/RêŒzÍ ¼"_Ýþ"  P í!€RêŒzÍáXD–/Microsoft-Windows-Kernel-Processor-PowerŸägQþŸN´o)HÌ`'System ÿJ¶–}çÿJ¶–°e8©R°_éÕÌ~šÿÿŽkAÿÿ!“=Group Aÿÿ#“=Number Aÿÿ3“%=IdleStateCount Aÿÿ3“%=PerfStateCount Aÿÿ;“-=ThrottleStateCount AÿÿI¸èZ  ComplexData= IdleState ŽAÿÿ)¸è= PerfState Ž**—/hhL {Í S—ÞŦ  e!|@€€hhL {Í$|—/ ÞáÜ4DPlug and PlayrunningPlugPlay/4**0˜/hhL {Í Ü¸,F½  2 !b*N€hhL {ÍáX”¤˜/Microsoft-Windows-UserPnpP ô–1~ G!€h•} {ÍáXDš/Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7ƒä luafv€x‰ÈïÊnn`**0›/üÊô {Í S—ÞŦ  ‡!|@€€üÊô {Í$|›/ ÞáÜ4D8DCOM Server Process LauncherrunningDcomLaunch/4u0**(œ/Æe0 {Í S—ÞŦ  y!|@€€Æe0 {Í$|œ/ ÞáÜ4D&RPC Endpoint MapperrunningRpcEptMapper/4d(**(/DÅp {Í S—ÞŦ  {!|@€€DÅp {Í$|/ ÞáÜ4D6Remote Procedure Call (RPC)runningRpcSs/4!(**ž/´*Û {Í S—ÞŦ  m!|@€€´*Û {Í$Tž/ ÞáÜ4D"Windows Event Logrunningeventlog/4**(Ÿ/ôu'{Í S—ÞŦ  y!|@€€ôu'{Í$pŸ/ ÞáÜ4D4Multimedia Class SchedulerrunningMMCSS/4coul(**H /ZÎ{Í S—ÞŦ  Ÿ!|@€€ZÎ{Í$p / ÞáÜ4D<.Windows Audio Endpoint Builderrunning.AudioEndpointBuilder/4xH**¡/øã×{Í S—ÞŦ  e!|@€€øã×{Í$T¡/ ÞáÜ4DWindows AudiorunningAudioSrv/4in**¢/ˆØÏ{Í S—ÞŦ  S!|@€€ˆØÏ{Í$T¢/ ÞáÜ4D ThemesrunningThemes/4twa** £/ºü{Í S—ÞŦ  q!|@€€ºü{Í$p£/ ÞáÜ4D(User Profile ServicerunningProfSvc/4& **¤/¦]6{Í S—ÞŦ  k!|@€€¦]6{Í$p¤/ ÞáÜ4D&Group Policy Clientrunninggpsvc/4**¥/*5N{Í S—ÞŦ  i!|@€€*5N{Í$T¥/ ÞáÜ4DOffline FilesrunningCscService/4 ÞáÜ** ¦/$½v{Í S—ÞŦ  s!|@€€$½v{Í$T¦/ ÞáÜ4D"COM+ Event SystemrunningEventSystem/4€€éß **0§/x§¡{Í S—ÞŦ  …!|@€€x§¡{Í$T§/ ÞáÜ4DBSystem Event Notification ServicerunningSENS/4 0**8¨/†‚m{Í S—ÞŦ  !|@€€†‚m{Í$T¨/ ÞáÜ4D2&Windows Modules Installerrunning&TrustedInstaller/48**@©/°÷‚{Í S—ÞŦ  ‘!|@€€°÷‚{Í$T©/ ÞáÜ4DLDesktop Window Manager Session ManagerrunningUxSms/4S—ÞÅ&@ S—ÞŦ  |@€€°÷‚{Í$Tª/ ÞáÜ4Dles InstallerElfChnkšPª/`0€þ(ÿ÷ï<‚WÉpðö‹ÌÁ³=Âè“è§Óé”êöзt?øaç‚M+“„FÅíµlèn‘Ã:Ë—­B•É.å&«ÖñY**¨ª/°÷‚{Í S—ÞÅ&S—ÞÅB•”"ó[¥ˆå›AMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿßøoTSystemAÿÿ2ñ{ProviderF=K•NameService Control ManagerF†)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}í`ÖEventSourceNameService Control ManagerAMSõaEventID't†)Ú Qualifiers "§ Version ÐdÎLevelõE{Task ®Opcode$?jÏKeywordsAÿÿPj;Ž TimeCreated'“j<{ SystemTime .ÁF EventRecordID Aÿÿ…ö¢ò Correlation\F ñ ActivityIDFS5ÅRelatedActivityIDAÿÿm‚¸µ ExecutionHF§ × ProcessIDÌõ…9ThreadID ÿÿ.öƒaChannelSystemÿÿb+j;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB”í .Security·fLUserID ! J!|@€€°÷‚{Í$Tª/ ÞáÜ4dÞáÜ4v¢ä“ú*…M^pâ»ÿÿ¯‹D‚ EventDataAÿÿ5³§ŠoData=param1 Aÿÿ#³=param2 ÿÿ  !¸Binary 2Security Accounts ManagerrunningSamSs/4¨**`«/.WÃ{Í S—ÞÅ& µ!|@€€.WÃ{Í$T«/ ÞáÜ4dlWindows Driver Foundation - User-mode Driver Frameworkrunningwudfsvc/4s`**(¬/6ó{Í S—ÞÅ& !|@€€6ó{Í$T¬/ ÞáÜ4d> Network Store Interface Servicerunning nsi/4 (** ­/b²`{Í S—ÞÅ& s!|@€€b²`{Í$T­/ ÞáÜ4d*TCP/IP NetBIOS Helperrunninglmhosts/4mÿ **€®/$žl{Í ¼"_Ýv ¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  : 9!Dtà $žl{ÍáX88®/Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem Ý&Îî•Ý&ÎîË|Ö Žp)·cîÿÿ‹Win€**(¯/:t£{Í ¼"_Ýv   > !>fÇ :t£{ÍøßXÐâX8¼¯/Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem Ý&Îî•-D(**°/V±{Í S—ÞÅ& Y!|@€€V±{Í$T°/ ÞáÜ4dDHCP ClientrunningDhcp/4`/**±/œ…Õ{Í S—ÞÅ& _!|@€€œ…Õ{Í$T±/ ÞáÜ4dDNS ClientrunningDnscache/4**8²/z¿ï{Í S—ÞÅ& ‹!|@€€z¿ï{Í$T²/ ÞáÜ4d0&Shell Hardware Detectionrunning&ShellHWDetection/48**³/涩{Í S—ÞÅ& g!|@€€æ¶©{Í$T³/ ÞáÜ4dTask SchedulerrunningSchedule/4**´/8—­{Í S—ÞÅ& c!|@€€8—­{Í$€´/ ÞáÜ4dPrint SpoolerrunningSpooler/4/**µ/iA{Í S—ÞÅ& k!|@€€iA{Í$€µ/ ÞáÜ4d* Base Filtering Enginerunning BFE/4ed,**¶/ú¯ê{Í S—ÞÅ& g!|@€€ú¯ê{Í$€¶/ ÞáÜ4d Windows FirewallrunningMpsSvc/4 ** ·/ÊÂý{Í S—ÞÅ& s!|@€€ÊÂý{Í$€·/ ÞáÜ4d(Workstationrunning(LanmanWorkstation/4Í$ **¸/ÄJ&{Í S—ÞÅ& [!|@€€ÄJ&{Í$€¸/ ÞáÜ4dNetlogonrunningNetlogon/4** ¹/ðö“{Í S—ÞÅ& w!|@€€ðö“{Í$€¹/ ÞáÜ4d,Cryptographic ServicesrunningCryptSvc/4m ** º/À §{Í S—ÞÅ& s!|@€€À §{Í$Tº/ ÞáÜ4d2 Diagnostic Policy Servicerunning DPS/4 **P»/f[i{Í S—ÞÅ& §!|@€€f[i{Í$€»/ ÞáÜ4dP"McAfee Host Intrusion Prevention Servicerunning"enterceptAgent/4P**x¼/²Ñ¼'{Í S—ÞÅ& Ï!|@€€²Ñ¼'{Í$„¼/ ÞáÜ4dJPMcAfee SiteAdvisor Enterprise ServicerunningPMcAfee SiteAdvisor Enterprise Service/4Ãx**8½/`K){Í S—ÞÅ& ‰!|@€€`K){Í$Ƚ/ ÞáÜ4d0$McAfee Framework Servicerunning$McAfeeFramework/48**H¾/2ïè+{Í S—ÞÅ& ›!|@€€2ïè+{Í$Ⱦ/ ÞáÜ4dTMcAfee Validation Trust Protection Servicerunningmfevtp/45hH**0¿/†Ù,{Í ¼"_Ýv   P !É€†Ù,{Íh4¿/Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&Îî•h0**@À/†Ù,{Í S—ÞÅ& •!|@€€†Ù,{Í$€À/ ÞáÜ4dNProgram Compatibility Assistant ServicerunningPcaSvc/4@**(Á/2-{Í S—ÞÅ& {!|@€€2-{Í$€Á/ ÞáÜ4d4Network Location AwarenessrunningNlaSvc/4“(**0Â/@C!-{Í S—ÞÅ& ‡!|@€€@C!-{Í$ÈÂ/ ÞáÜ4d@Distributed Link Tracking ClientrunningTrkWks/40** Ã/ˆ=-{Í S—ÞÅ& q!|@€€ˆ=-{Í$ÈÃ/ ÞáÜ4d(VMware Tools ServicerunningVMTools/4& **¸Ä/¨ï-/{Í ¼"_Ýv   @ ­!€¨ï-/{͈¨Ä/Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ/*z <ÕÐ!ö{ôA²»Äjÿÿ^‹Aÿÿ%³=NewTime Aÿÿ%³=OldTime @f$/{Íæ:/{͸**8Å/þ=â0{Í S—ÞÅ& !|@€€þ=â0{Í$€Å/ ÞáÜ4dDWindows Management InstrumentationrunningWinmgmt/43:8**(Æ/ÈØ1{Í S—ÞÅ& {!|@€€ÈØ1{Í$€Æ/ ÞáÜ4d& McAfee Task Managerrunning McTaskManager/4(KB(**0Ç/Q›2{Í S—ÞÅ& !|@€€Q›2{Í$ÈÇ/ ÞáÜ4d8McAfee Firewall Core Servicerunningmfefire/4Í„0**0È/¤5B3{Í S—ÞÅ& ƒ!|@€€¤5B3{Í$ÈÈ/ ÞáÜ4d*$VMware Upgrade Helperrunning$VMUpgradeHelper/4s f0**É/64a3{Í S—ÞÅ& ]!|@€€64a3{Í$ÈÉ/ ÞáÜ4dIP Helperrunningiphlpsvc/4us**Ê/h…×4{Í S—ÞÅ& _!|@€€h…×4{Í$€Ê/ ÞáÜ4d ServerrunningLanmanServer/4u**Ë/®7B{Í S—ÞÅ& i!|@€€®7B{Í$„Ë/ ÞáÜ4dMcAfee McShieldrunningMcShield/4star**(Ì/Xp÷C{Í S—ÞÅ& !|@€€Xp÷C{Í$|Ì/ ÞáÜ4d.Remote Desktop ServicesrunningTermService/4l(**0Í/ž3D{Í S—ÞÅ& …!|@€€ž3D{Í$|Í/ ÞáÜ4d."Diagnostic Service Hostrunning"WdiServiceHost/4ow0**0Î/ž3D{Í S—ÞÅ& !|@€€ž3D{Í$ Î/ ÞáÜ4d, Diagnostic System Hostrunning WdiSystemHost/4ms (0**@Ï/ì¥nD{Í S—ÞÅ& “!|@€€ì¥nD{Í$„Ï/ ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4or @** Ð/ä#pE{Í S—ÞÅ& s!|@€€ä#pE{Í$ Ð/ ÞáÜ4d(Network List Servicerunningnetprofm/4 **Ñ/ F{Í S—ÞÅ& a!|@€€ F{Í$ Ñ/ ÞáÜ4dWindows TimerunningW32Time/4alle**@Ò/ÖG{Í ¼"_Ýv   < :!%€ÖG{ͬ  Ò/Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ï…ý>Ã:ï…ý>Á#å×­ä5TñAÿÿƒ‹G=TMP_EVENT_TIME_SOURCE_REACHABLEAÿÿ+³= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)pd@**`Ó/”Ô&G{Í S—ÞÅ& ±!|@€€”Ô&G{Í$€Ó/ ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4date`**Ô/”Ô&G{Í S—ÞÅ& i!|@€€”Ô&G{Í$|Ô/ ÞáÜ4d Computer BrowserrunningBrowser/4ows **0Õ/T¶ H{Í S—ÞÅ& ‡!|@€€T¶ H{Í$|Õ/ ÞáÜ4d8Remote Desktop ConfigurationrunningSessionEnv/4t0**(Ö/T¶ H{Í S—ÞÅ& !|@€€T¶ H{Í$|Ö/ ÞáÜ4d.Certificate PropagationrunningCertPropSvc/4T(**(×/âs«H{Í S—ÞÅ& }!|@€€âs«H{Í$|×/ ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4ec(**(Ø/lw_M{Í S—ÞÅ&  s!€@€€lw_M{Í$|Ø/ cÒ3­BcÒ3þœ ©™Î}²F±ôºÿÿ®‹Aÿÿ#³=param1 Aÿÿ#³=param2 Aÿÿ#³=param3 Aÿÿ#³=param4 2 Windows Modules Installerauto startdemand startTrustedInstaller (**`Ù/âT¡N{Í S—ÞÅ& ³!|@€€âT¡N{Í$„Ù/ ÞáÜ4d`Remote Desktop Services UserMode Port RedirectorrunningUmRdpService/4!`**8Ú/€p O{Í ¼"_Ýv   < 4!#€€p O{ͬ  Ú/Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ÌÂÕƒFv ÌÂÕu»Þj—\„ꃉAÿÿ}‹A=TMP_EVENT_TIME_SOURCE_CHOSENAÿÿ+³= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)8**Û/¶ÕXP{Í S—ÞÅ& m!|@€€¶ÕXP{Í$„Û/ ÞáÜ4d Windows DefenderrunningWinDefend/4ns**Ü/ÒŸ]P{Í S—ÞÅ& m!|@€€ÒŸ]P{Í$„Ü/ ÞáÜ4d Windows DefenderstoppedWinDefend/1co**xÝ/„³S‹{Í S—ÞÅ& Ï!|@€€„³S‹{Í$„Ý/ ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86runningBclr_optimization_v4.0.30319_32/4ex**xÞ/„³S‹{Í S—ÞÅ& Ï!|@€€„³S‹{Í$„Þ/ ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86stoppedBclr_optimization_v4.0.30319_32/1nx**xß/8¦!Œ{Í S—ÞÅ& Ï!|@€€8¦!Œ{Í$„ß/ ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64runningBclr_optimization_v4.0.30319_64/4xx**xà/8¦!Œ{Í S—ÞÅ& Ï!|@€€8¦!Œ{Í$„à/ ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBclr_optimization_v4.0.30319_64/1x**0á/V&ªŒ{Í S—ÞÅ& !|@€€V&ªŒ{Í$„á/ ÞáÜ4d4Windows Font Cache ServicerunningFontCache/4Win0**â/B­{Í S—ÞÅ& m!|@€€B­{Í$„â/ ÞáÜ4d&Software Protectionrunningsppsvc/4ox**ã/æ„É{Í S—ÞÅ& e!|@€€æ„É{Í$„ã/ ÞáÜ4dSecurity Centerrunningwscsvc/4$**8ä/N””–{Í S—ÞÅ& ‹!|@€€N””–{Í$„ä/ ÞáÜ4d0&Shell Hardware Detectionstopped&ShellHWDetection/18**å/Àr+—{Í S—ÞÅ& e!|@€€Àr+—{Í$„å/ ÞáÜ4dWindows SearchrunningWSearch/4**@æ/ð<‹—{Í S—ÞÅ& “!|@€€ð<‹—{Í$„æ/ ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1eb @**ç/¦™µ{Í S—ÞÅ& g!|@€€¦™µ{Í$ç/ ÞáÜ4dWindows Updaterunningwuauserv/4**(è/êÁ{Í S—ÞÅ& y!|@€€êÁ{Í$ è/ ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1y Up(**˜é/b‡eÖ{Í ¼"_Ýv   J ‡! €b‡eÖ{Í„Üé/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem ðñ ññYdðñ ñKòêr«Ø®Ý'ªô¾ÿÿ²‹Aÿÿ-³= updateTitle Aÿÿ+³= updateGuid Aÿÿ?³1=updateRevisionNumber ~Security Update for Windows 7 for x64-based Systems (KB2641653)ÆêзOž\<Ë]XLæeo˜**Èê/b‡eÖ{Í ¼"_Ýv   J ±! €b‡eÖ{Í„Üê/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem ðñ ññY~Security Update for Windows 7 for x64-based Systems (KB2667402)´m~‡$!ØI¥hä£e**È**Èë/b‡eÖ{Í ¼"_Ýv   J ±! €b‡eÖ{Í„Üë/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem ðñ ññY~Security Update for Windows 7 for x64-based Systems (KB2665364)«JÇv<ÁÓKo®ùm‹1äeeldÈ**°ì/b‡eÖ{Í ¼"_Ýv   J Ÿ! €b‡eÖ{Í„Üì/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem ðñ ññYlUpdate for Windows 7 for x64-based Systems (KB2639308)‘ô¢a,8AIˆ‹/Êohød°**Èí/b‡eÖ{Í ¼"_Ýv   J ±! €b‡eÖ{Í„Üí/Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem ðñ ññY~Security Update for Windows 7 for x64-based Systems (KB2621440)Ea†¹ì£¶9×{p(é4ÿÿ(‹ ³  N€3188160300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÀ**`0ç„‘ÅÍ S—ÞÅ& ±!|@€€ç„‘ÅÍ$ð 0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`0Q§`ÇÍ S—ÞÅ& ±!|@€€Q§`ÇÍ$x0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**` 0²Ì@TÓÍ S—ÞÅ& ±!|@€€²Ì@TÓÍ$  0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**` 02ØU¢ÕÍ S—ÞÅ& ±!|@€€2ØU¢ÕÍ$€ 0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**` 0F)¶¦ÞÍ S—ÞÅ& ±!|@€€F)¶¦ÞÍ$T 0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**` 0ÙÇÎôàÍ S—ÞÅ& ±!|@€€ÙÇÎôàÍ$ 0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**` 025¬êÍ S—ÞÅ& ±!|@€€25¬êÍ$Ð 0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`0²'JúìÍ S—ÞÅ& ±!|@€€²'JúìÍ$ð0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**0òĺ?ðÍ ì›Ðon‘ƒFì›Ðo5ÚÛŸ2â¿A³Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ+øAÿÿ=TermDDAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! ™!2 À€òĺ?ðÍD0 FÓì„*L\Device\TermddX.224L$L2 À2 À' ð€dëpðê$**00òĺ?ðÍ ì›Ðon‘ !8 À€òĺ?ðÍD0 FÓì„2,\Device\Termdd10.3.16.5,,8 À8 À2 Ð0**80 ò/íðÍ S—ÞÅ& ‹!|@€€ ò/íðÍ$”0 ÞáÜ4d0&Shell Hardware Detectionrunning&ShellHWDetection/48**¸0úÎqîðÍ ¼"_Ýv   4 ·!MY úÎqîðÍ  @ 0Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLChË—ÝLCh´y…ÓÒmÖ»Í dÿÿX‹Aÿÿ³=TSId Aÿÿ%³=UserSid —*gy TJ¶‡(~Q¸**0PeÝóðÍ S—ÞÅ& _!|@€€PeÝóðÍ$ü0 ÞáÜ4dWebClientrunningWebClient/4**@0xdüûðÍ S—ÞÅ& “!|@€€xdüûðÍ$ü0 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**0ÙoªüðÍ S—ÞÅ& i!|@€€ÙoªüðÍ$”0 ÞáÜ4d"CNG Key IsolationrunningKeyIso/4**00Ñ5¯ ñÍ S—ÞÅ& …!|@€€Ñ5¯ ñÍ$”0 ÞáÜ4d>Windows Error Reporting ServicerunningWerSvc/40**(0ËõêñÍ S—ÞÅ& y!|@€€ËõêñÍ$ü0 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**0xŽýñÍ S—ÞÅ& m!|@€€xŽýñÍ$”0 ÞáÜ4d&Network ConnectionsrunningNetman/4**`0³ò¸!ñÍ S—ÞÅ& ±!|@€€³ò¸!ñÍ$ü 0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`** 0†¤è?ñÍ S—ÞÅ& w!|@€€†¤è?ñÍ$ü 0 ÞáÜ4d.Application InformationrunningAppinfo/4 **@0ADŠCñÍ S—ÞÅ& “!|@€€ADŠCñÍ$ü 0 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**00QM3TñÍ S—ÞÅ& …!|@€€QM3TñÍ$”0 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**(0êmËLòÍ S—ÞÅ& y!|@€€êmËLòÍ$p 0 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(07ÎòÍ S—ÞÅ& y!|@€€7ÎòÍ$ü0 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**80.0iÙòÍ ¼"_Ýv   4 ;!NZ .0iÙòÍ  @ 0Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLChË——*gy TJ¶‡(~Q8**( 0h_óÍ S—ÞÅ& }!|@€€h_óÍ$ü 0 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**8!0»{!óÍ S—ÞÅ& ‹!|@€€»{!óÍ$(!0 ÞáÜ4d0&Shell Hardware Detectionstopped&ShellHWDetection/18**`"0wJÑoóÍ S—ÞÅ& ±!|@€€wJÑoóÍ$” "0 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(#0£ÆØtóÍ S—ÞÅ& }!|@€€£ÆØtóÍ$(#0 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**($0xñ‰óÍ S—ÞÅ& y!|@€€xñ‰óÍ$” $0 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**8%0çRøÍ S—ÞÅ& ‹!|@€€çRøÍ$ì %0 ÞáÜ4d0&Shell Hardware Detectionrunning&ShellHWDetection/48**8&0¯3?RøÍ ¼"_Ýv   4 ;!MY ¯3?RøÍä ” &0Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLChË——*gy TJ¶‡(~Z8**@'0¸ÛYøÍ S—ÞÅ& “!|@€€¸ÛYøÍ$0 '0 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**((0;CdøÍ S—ÞÅ& y!|@€€;CdøÍ$Ü (0 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**0)0Cˆ©}øÍ ¼"_Ýv   P !΀Cˆ©}øÍh|)0Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&Îî•0**@*0l a¡øÍ S—ÞÅ& “!|@€€l a¡øÍ$Ü *0 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@** +0W»¡øÍ S—ÞÅ& Ù!…@€€W»¡øÍ$Ü +0—*gy TJ¶‡(~Z YA¶&íµYA¶&§Ÿï)Úì ÛY„ÿÿ‹Aÿÿ-³= ServiceName Aÿÿ)³= ImagePath Aÿÿ-³= ServiceType Aÿÿ)³= StartType Aÿÿ-³= AccountName  L$BCSWAPC:\Windows\system32\drivers\BCSWAP.syskernel mode driverdisabled **¸,0/F¢øÍ S—ÞÅ& ó!…@€€/F¢øÍ$Ü ,0—*gy TJ¶‡(~Z YA¶&íµd"BCWipe serviceC:\Program Files (x86)\Jetico\BCWipe\BCWipeSvc.exeuser mode serviceauto startLocalSystem¸**p-0ß;¢øÍ S—ÞÅ& «!…@€€ß;¢øÍ$-0—*gy TJ¶‡(~Z YA¶&íµF$fshC:\Windows\system32\drivers\fsh.syskernel mode driverboot startp**.0ëS¢øÍ S—ÞÅ& i!|@€€ëS¢øÍ$.0 ÞáÜ4dBCWipe servicerunningBCWipeSvc/4**0/0‘+¿øÍ S—ÞÅ& …!|@€€‘+¿øÍ$/0 ÞáÜ4d>Windows Error Reporting ServicerunningWerSvc/40**00@÷îÚøÍ S—ÞÅ& e!|@€€@÷îÚøÍ$Ü 00 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@10ÜÿÚøÍ S—ÞÅ& “!|@€€ÜÿÚøÍ$Ð10 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**020G-³ùÍ S—ÞÅ& …!|@€€G-³ùÍ$Ü 20 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**30ò@"~ùÍ S—ÞÅ& e!|@€€ò@"~ùÍ$ü30 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**4053$’ùÍ S—ÞÅ& m!|@€€53$’ùÍ$ 40 ÞáÜ4d&Software Protectionrunningsppsvc/4**5004ž”ùÍ S—ÞÅ& e!|@€€04ž”ùÍ$è 50 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**860ÞL‰—ùÍ S—ÞÅ& !|@€€ÞL‰—ùÍ$ 60 ÞáÜ4dBBlock Level Backup Engine Servicerunningwbengine/48**Ð70€ª]˜ùÍ ßñæâFÅ/*ßñæâpl›”ÀÿJ4(5òÛAÏMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿGøAÿÿ:1=Virtual Disk ServiceAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! 5!B€€ª]˜ùÍ70 FÓì„@2010005Ð**80¤&Ù˜ùÍ S—ÞÅ& Y!|@€€¤&Ù˜ùÍ$è 80 ÞáÜ4d Virtual Diskrunning vds/4**È90$#÷ùÍ ÿÆaUÉÿÆaUµÈø™¸ò—¸ãŸ°¿A³Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ+øAÿÿ=USER32AS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! -!2€€$#÷ùÍ90—*gy TJ¶‡(~Z FÓì„â(wininit.exe (10.3.58.4)WKS-WIN764BITBApplication: Installation (Planned)0x84040002restartSHIELDBASE\rsydow(„È**8:0JBj úÍ ¼"_Ýv   4 ;!NZ JBj úÍä ” :0Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLChË——*gy TJ¶‡(~Z8**(;0¸È± úÍ ¼"_Ýv   J !€€¸È± úÍ„d ;0Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem Ý&Îî•(**<0‹Ì úÍ S—ÞÅ& g!|@€€‹Ì úÍ$\ <0 ÞáÜ4dWindows Updatestoppedwuauserv/1**Ø=0€ä0 úÍ rBøë® +!v€€€ä0 úÍ=0 FÓì„Ø**>0ë úÍ S—ÞÅ& k!|@€€ë úÍ$è >0 ÞáÜ4d&Group Policy Clientstoppedgpsvc/1**?0ŠØ úÍ S—ÞÅ& i!|@€€ŠØ úÍ$è ?0 ÞáÜ4dMcAfee McShieldstoppedMcShield/1**(@0†Q úÍ S—ÞÅ& !|@€€†Q úÍ$€ @0 ÞáÜ4d.Certificate PropagationstoppedCertPropSvc/1(**0A0žÒ~ úÍ S—ÞÅ& !|@€€žÒ~ úÍ$€ A0 ÞáÜ4d4Windows Font Cache ServicestoppedFontCache/10**ˆB0P—ƒ úÍ ¼"_Ýv   > o!?gÇ P—ƒ úÍhâÍ@åÍ8¼B0Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem £JA-«Ö£JA-un$áke [hg#@ÿÿ4‹Aÿÿ'³=DwordVal ˆ**0C0P—ƒ úÍ S—ÞÅ& …!|@€€P—ƒ úÍ$€ C0 ÞáÜ4d."Diagnostic Service Hoststopped"WdiServiceHost/10** D0P—ƒ úÍ S—ÞÅ& w!|@€€P—ƒ úÍ$€ D0 ÞáÜ4d,Cryptographic ServicesstoppedCryptSvc/1 **8E0€èUúÍ rBøë® ‹!y€€€èUúÍE0 FÓì„h6.01.7601Service Pack 1Multiprocessor Free175148**0F0Ên› úÍ ¼"_Ýv   : !Euà Ên› úÍW[Y(88F0Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem £JA-«Ö0**èG0€èUúÍ rBøë® ;!u€€€èUúÍG0 FÓì„ÜÎè**˜H0€èUúÍ rBøë® ë!}€€€èUúÍH0 FÓì„H€7460300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local˜**I0Ên› úÍ S—ÞÅ& Y!|@€€Ên› úÍ$€ I0 ÞáÜ4dDHCP ClientstoppedDhcp/1** J0#Ñ úÍ S—ÞÅ& s!|@€€#Ñ úÍ$€ J0 ÞáÜ4d2 Diagnostic Policy Servicestopped DPS/1 **K09¬ úÍ S—ÞÅ& m!|@€€9¬ úÍ$€ K0 ÞáÜ4d"Windows Event Logstoppedeventlog/1**PL0DF³ úÍ S—ÞÅ& §!|@€€DF³ úÍ$€ L0 ÞáÜ4dP"McAfee Host Intrusion Prevention Servicestopped"enterceptAgent/1P**(M0X@/úÍ S—ÞÅ& {!|@€€X@/úÍ$€ M0 ÞáÜ4d& McAfee Task Managerstopped McTaskManager/1(**hN0Çð?úÍ Ü¸,.å®Ü¸,Ë™ ŸîuJˆ§7j°=Aÿÿ1Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · $açF5DUserData!  2 !b*N€Çð?úÍá[”¼ N0Microsoft-Windows-UserPnpP ô–1~Óé]ÏInstallSubsystemState ÿÿ>ê ¡ÝCachingSubsystemState    h**O0Çð?úÍ S—ÞÅ& e!|@€€Çð?úÍ$€ O0 ÞáÜ4dPlug and PlaystoppedPlugPlay/1**0P0 SBúÍ S—ÞÅ& !|@€€ SBúÍ$€ P0 ÞáÜ4d8McAfee Firewall Core Servicestoppedmfefire/10**øQ0+zIúÍ S—ÞÅ& O!|@€€+zIúÍ$€ Q0 ÞáÜ4d PowerstoppedPower/1ø** R0„ÜKúÍ S—ÞÅ& q!|@€€„ÜKúÍ$€ R0 ÞáÜ4d(User Profile ServicestoppedProfSvc/1 **@S0)yúÍ S—ÞÅ& “!|@€€)yúÍ$€ S0 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**T0x‹{úÍ S—ÞÅ& m!|@€€x‹{úÍ$€ T0 ÞáÜ4d&Software Protectionstoppedsppsvc/1**`U0x‹{úÍ S—ÞÅ& ³!|@€€x‹{úÍ$€ U0 ÞáÜ4d`Remote Desktop Services UserMode Port RedirectorstoppedUmRdpService/1`**0V0ƒ²‚úÍ S—ÞÅ& ‡!|@€€ƒ²‚úÍ$€ V0 ÞáÜ4d@Distributed Link Tracking ClientstoppedTrkWks/10**@W0±¡úÍ S—ÞÅ& ‘!|@€€±¡úÍ$€ W0 ÞáÜ4dLDesktop Window Manager Session ManagerstoppedUxSms/1@** X0±¡úÍ S—ÞÅ& q!|@€€±¡úÍ$€ X0 ÞáÜ4d(VMware Tools ServicestoppedVMTools/1 **@Y0ÙϨúÍ ¼"_Ýv   @ '!€ÙϨúÍá[Ðâ[¬¨ Y0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ/*€m¦úͺu¦úÍ@**Z0ÙϨúÍ S—ÞÅ& a!|@€€ÙϨúÍ$€ Z0 ÞáÜ4dWindows TimestoppedW32Time/1**([0”­úÍ S—ÞÅ& !|@€€”­úÍ$€ [0 ÞáÜ4d.Remote Desktop ServicesstoppedTermService/1(**0\0›»´úÍ S—ÞÅ& ƒ!|@€€›»´úÍ$€ \0 ÞáÜ4d*$VMware Upgrade Helperstopped$VMUpgradeHelper/10**]0“ÌúÍ S—ÞÅ& i!|@€€“ÌúÍ$€ ]0 ÞáÜ4dBCWipe servicestoppedBCWipeSvc/1**8^0yõÎúÍ S—ÞÅ& !|@€€yõÎúÍ$€ ^0 ÞáÜ4dDWindows Management InstrumentationstoppedWinmgmt/18**_0yõÎúÍ S—ÞÅ& e!|@€€yõÎúÍ$€ _0 ÞáÜ4dSecurity Centerstoppedwscsvc/1**`0á~ØúÍ S—ÞÅ& e!|@€€á~ØúÍ$€ `0 ÞáÜ4d$ Volume Shadow Copystopped VSS/1 ¼"_Ýv  < ElfChnkQa01€þ(ÿfê\fŒ¦ýóè*=Z+Îàk‰ °÷Ò›f?øù©MFºl‘GTÛCnµ)¥é~»dû{O8îŽÖ—> K¡Ü **a0«FEúÍ ¼"_Ý&¼"_ÝÖJKlôñ¹®¼9V¶AªMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿúøoTSystemAÿÿYñ{Provider6F=K•NameX)GuidAMzõaEventID'›X)Ú Qualifiers "Î Version ÷dÎLevelE{Task ?®Opcode$fjÏKeywordsAÿÿP‘;Ž TimeCreated'ºj<{ SystemTime .èF EventRecordID Aÿÿ…¢ò Correlation\FF ñ ActivityIDmz5ÅRelatedActivityID Aÿÿm©¸µ ExecutionHFÎF × ProcessIDó…9ThreadID "ƒaChannelÿÿbF‘;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB¯ .SecurityÒfLUserID ! < ;!gm€«FEúÍá[ÄÈa0Microsoft-Windows-Kernel-Power:;3 ÂD¬^w" 7Ö´System ³ nÛ³ nÀ {pe£ ÊÜEÐüÿÿðD‚ EventDataAÿÿM*ΊoData-=ShutdownActionType Aÿÿ9*+=ShutdownEventCode Aÿÿ3*%=ShutdownReason ÿÿ **b0Ë\fúÍ S—ÞÅ> S—ÞÅB•”"ó[¥ˆåûAïMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿgøAÿÿôëF=Service Control ManagerFX&{555908d1-a6d7-4695-8e1e-26931d2012f4}‰ ¯`ÖEventSourceNameService Control ManagerAz › Î  ÷  ? fAÿÿ‘ º è AÿÿFFmAÿÿ©FÎó ÿÿSystemÿÿHFWKS-WIN764BITB.shieldbase.localAÿÿ¯ Ò ! @!|@€€Ë\fúÍ$€ b0 ÞáÜ4Ü ÞáÜ4v¢ä“ú*…M^pâÿÿAÿÿ#*=param1 Aÿÿ#*=param2 ÿÿ c !¸Binary TMcAfee Validation Trust Protection Servicestoppedmfevtp/1nt**€c0XÃúÍ ¼"_Ý& @ s! €XÃúÍá[0 c0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System  %†˜) %†˜ÜùC»ö¢+Wi4à¸@ÿÿ4Aÿÿ'*=StopTime XÃúÍ€**ød0ž¡3*úÍ ¼"_Ý&  @ ß! €ž¡3*úÍá[d0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System /«w‰µ/«w‰mU©WFó­ÿ”Š~ÿÿrAÿÿ/*!= MajorVersion Aÿÿ/*!= MinorVersion Aÿÿ/*!= BuildVersion Aÿÿ+*= QfeVersion Aÿÿ3*%=ServiceVersion Aÿÿ'*=BootMode Aÿÿ)*= StartTime ±?EÀg*úÍø**èe0‚­‡,úÍ ¼"_Ý&  > Ñ!€‚­‡,úÍøß[e0Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7«¼w7‘Þ->´v«SZGslÿÿ`Aÿÿ-*= FinalStatus Aÿÿ;*-=DeviceVersionMajor Aÿÿ;*-=DeviceVersionMinor Aÿÿ7*)=DeviceNameLength Aÿÿ+*= DeviceName Aÿÿ+*= DeviceTime FileInfo€¶ÊíðÊè**f0Î<úÍ ¼"_Ý&  P í!€Î<úÍá[0f0Microsoft-Windows-Kernel-Processor-PowerŸägQþŸN´o)HÌ`'System ÿJ¶–¥ÿJ¶–°e8©R°_éÕÌ~šÿÿŽAÿÿ!*=Group Aÿÿ#*=Number Aÿÿ3*%=IdleStateCount Aÿÿ3*%=PerfStateCount Aÿÿ;*-=ThrottleStateCount AÿÿIàZ  ComplexData= IdleState ŽAÿÿ)à= PerfState Ž¯ê**g0‚ |QúÍ S—ÞÅ>  e!|@€€‚ |QúÍü<g0 ÞáÜ4Ü Plug and PlayrunningPlugPlay/4Âý**hh0‚ |QúÍ Ü¸,Æܸ,Ë™ ŸîuJˆ§7j°=Aÿÿ1Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=XAz › Î  ÷  ? fAÿÿ‘ º è AÿÿFFm Aÿÿ©FÎó  ÿÿHFWKS-WIN764BITB.shieldbase.localAÿÿ¯ Ò $ùm5DUserData!  2 !b*N€‚ |QúÍá[dth0Microsoft-Windows-UserPnpP ô–1~k]ÏInstallSubsystemState ÿÿ>°c ¡ÝCachingSubsystemState    eh**øi0j@RúÍ S—ÞÅ>  O!|@€€j@RúÍü<i0 ÞáÜ4Ü  PowerrunningPower/4ø**`j0øý½RúÍ ¼"_Ý&  > G!€øý½RúÍá[8j0Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7« luafv€x‰ÈïÊ`**0k0ì SúÍ S—ÞÅ>  ‡!|@€€ì SúÍü<k0 ÞáÜ4Ü 8DCOM Server Process LauncherrunningDcomLaunch/4/0**(l0æ•7SúÍ S—ÞÅ>  y!|@€€æ•7SúÍü<l0 ÞáÜ4Ü &RPC Endpoint MapperrunningRpcEptMapper/4É(**(m0ÄÏQSúÍ S—ÞÅ>  {!|@€€ÄÏQSúÍü<m0 ÞáÜ4Ü 6Remote Procedure Call (RPC)runningRpcSs/4(**n0t­9VúÍ S—ÞÅ>  i!|@€€t­9VúÍü(n0 ÞáÜ4Ü BCWipe servicerunningBCWipeSvc/4**o0"úfVúÍ S—ÞÅ>  m!|@€€"úfVúÍüLo0 ÞáÜ4Ü "Windows Event Logrunningeventlog/4**(p0Þm›VúÍ S—ÞÅ>  y!|@€€Þm›VúÍütp0 ÞáÜ4Ü 4Multimedia Class SchedulerrunningMMCSS/4(**Hq0B¶%WúÍ S—ÞÅ>  Ÿ!|@€€B¶%WúÍütq0 ÞáÜ4Ü <.Windows Audio Endpoint Builderrunning.AudioEndpointBuilder/4H**r0ˆyIWúÍ S—ÞÅ>  e!|@€€ˆyIWúÍü(r0 ÞáÜ4Ü Windows AudiorunningAudioSrv/4³**s0\ú XúÍ S—ÞÅ>  S!|@€€\ú XúÍüts0 ÞáÜ4Ü  ThemesrunningThemes/4** t0¾ ?XúÍ S—ÞÅ>  q!|@€€¾ ?XúÍü(t0 ÞáÜ4Ü (User Profile ServicerunningProfSvc/4€Æ/ **u0P ^XúÍ S—ÞÅ>  k!|@€€P ^XúÍü(u0 ÞáÜ4Ü &Group Policy Clientrunninggpsvc/4€€Q**v0zsXúÍ S—ÞÅ>  i!|@€€zsXúÍütv0 ÞáÜ4Ü Offline FilesrunningCscService/4** w0ä?ÕXúÍ S—ÞÅ>  s!|@€€ä?ÕXúÍütw0 ÞáÜ4Ü "COM+ Event SystemrunningEventSystem/4 **0x0ÂyïXúÍ S—ÞÅ>  …!|@€€ÂyïXúÍütx0 ÞáÜ4Ü BSystem Event Notification ServicerunningSENS/4€h…0**@y0ú YúÍ S—ÞÅ>  ‘!|@€€ú YúÍüty0 ÞáÜ4Ü LDesktop Window Manager Session ManagerrunningUxSms/4@** z0ú YúÍ S—ÞÅ>  w!|@€€ú YúÍütz0 ÞáÜ4Ü 2Security Accounts ManagerrunningSamSs/4o **`{0Ò×NYúÍ S—ÞÅ>  µ!|@€€Ò×NYúÍüt{0 ÞáÜ4Ü lWindows Driver Foundation - User-mode Driver Frameworkrunningwudfsvc/4"`**(|0 J¢YúÍ S—ÞÅ>  !|@€€ J¢YúÍü@|0 ÞáÜ4Ü > Network Store Interface Servicerunning nsi/4n(** }0n¼õYúÍ S—ÞÅ>  s!|@€€n¼õYúÍü(}0 ÞáÜ4Ü *TCP/IP NetBIOS Helperrunninglmhosts/4num **P~0ZZúÍ ¼"_Ý&  : 9!Dtà ZZúÍá[LŒ~0Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem Ý&ÎîO8Ý&ÎîË|Ö Žp)·cîÿÿngP**(0®BZúÍ ¼"_Ý&  > !>fÇ ®BZúÍøß[L˜0Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem Ý&ÎîO8(**€0¨jZúÍ S—ÞÅ>  Y!|@€€¨jZúÍüL€0 ÞáÜ4Ü DHCP ClientrunningDhcp/4stem**0†É„ZúÍ S—ÞÅ>  _!|@€€†É„ZúÍüL0 ÞáÜ4Ü DNS ClientrunningDnscache/4**8‚0VÜ—ZúÍ S—ÞÅ>  ‹!|@€€VÜ—ZúÍüL‚0 ÞáÜ4Ü 0&Shell Hardware Detectionrunning&ShellHWDetection/4sco8**ƒ02 ‹[úÍ S—ÞÅ>  g!|@€€2 ‹[úÍüLƒ0 ÞáÜ4Ü Task SchedulerrunningSchedule/4Ü**„0 &\úÍ S—ÞÅ>  c!|@€€ &\úÍüt„0 ÞáÜ4Ü Print SpoolerrunningSpooler/4**…0¨þ]úÍ S—ÞÅ>  k!|@€€¨þ]úÍüt…0 ÞáÜ4Ü * Base Filtering Enginerunning BFE/4€€T¶**†0À}ï`úÍ S—ÞÅ>  g!|@€€À}ï`úÍüt†0 ÞáÜ4Ü  Windows FirewallrunningMpsSvc/4** ‡00¶(aúÍ S—ÞÅ>  s!|@€€0¶(aúÍüt‡0 ÞáÜ4Ü (Workstationrunning(LanmanWorkstation/4 **ˆ0hREaúÍ S—ÞÅ>  [!|@€€hREaúÍütˆ0 ÞáÜ4Ü NetlogonrunningNetlogon/4=** ‰0<ÓbúÍ S—ÞÅ>  w!|@€€<ÓbúÍüL‰0 ÞáÜ4Ü ,Cryptographic ServicesrunningCryptSvc/4 ** Š0<ÓbúÍ S—ÞÅ>  s!|@€€<ÓbúÍütŠ0 ÞáÜ4Ü 2 Diagnostic Policy Servicerunning DPS/4 **P‹0´AfúÍ S—ÞÅ>  §!|@€€´AfúÍü@‹0 ÞáÜ4Ü P"McAfee Host Intrusion Prevention Servicerunning"enterceptAgent/4+P**xŒ0>ˆiúÍ S—ÞÅ>  Ï!|@€€>ˆiúÍü(Œ0 ÞáÜ4Ü JPMcAfee SiteAdvisor Enterprise ServicerunningPMcAfee SiteAdvisor Enterprise Service/4x**80Ô±ˆkúÍ S—ÞÅ>  ‰!|@€€Ô±ˆkúÍü”0 ÞáÜ4Ü 0$McAfee Framework Servicerunning$McAfeeFramework/4Defe8**HŽ0ŽHÇmúÍ S—ÞÅ>  ›!|@€€ŽHÇmúÍü”Ž0 ÞáÜ4Ü TMcAfee Validation Trust Protection Servicerunningmfevtp/40.3H**00Rk+núÍ ¼"_Ý&  P !É€Rk+núÍx0Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&ÎîO8B0**@0Rk+núÍ S—ÞÅ>  •!|@€€Rk+núÍü(0 ÞáÜ4Ü NProgram Compatibility Assistant ServicerunningPcaSvc/4€8¦@**(‘0$µ–núÍ S—ÞÅ>  {!|@€€$µ–núÍü(‘0 ÞáÜ4Ü & McAfee Task Managerrunning McTaskManager/4(**0’0ÊÅoúÍ S—ÞÅ>  ‡!|@€€ÊÅoúÍü@’0 ÞáÜ4Ü @Distributed Link Tracking ClientrunningTrkWks/4/0**(“0ôôÚoúÍ S—ÞÅ>  {!|@€€ôôÚoúÍüd“0 ÞáÜ4Ü 4Network Location AwarenessrunningNlaSvc/4che(** ”0*‡ÐpúÍ S—ÞÅ>  q!|@€€*‡ÐpúÍüd”0 ÞáÜ4Ü (VMware Tools ServicerunningVMTools/4vc/4 **8•0æúqúÍ S—ÞÅ>  !|@€€æúqúÍüd•0 ÞáÜ4Ü DWindows Management InstrumentationrunningWinmgmt/48**¸–0îÌäkúÍ ¼"_Ý&  @ ­!€îÌäkúÍ„–0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <ÕGTz <ÕÐ!ö{ôA²»Äjÿÿ^Aÿÿ%*=NewTime Aÿÿ%*=OldTime à¥ÝkúÍz0|qúÍå/¸**0—0ŽLmnúÍ S—ÞÅ>  !|@€€ŽLmnúÍüt—0 ÞáÜ4Ü 8McAfee Firewall Core Servicerunningmfefire/4D0**0˜0VÝoúÍ S—ÞÅ>  ƒ!|@€€VÝoúÍüt˜0 ÞáÜ4Ü *$VMware Upgrade Helperrunning$VMUpgradeHelper/4 ÞáÜ0**™0 VpúÍ S—ÞÅ>  ]!|@€€ VpúÍüt™0 ÞáÜ4Ü IP Helperrunningiphlpsvc/4**š0tÀqúÍ S—ÞÅ>  _!|@€€tÀqúÍüdš0 ÞáÜ4Ü  ServerrunningLanmanServer/4Ö**›0L{цúÍ S—ÞÅ>  i!|@€€L{цúÍü@›0 ÞáÜ4Ü McAfee McShieldrunningMcShield/4teGu**0œ0"3í‡úÍ S—ÞÅ>  …!|@€€"3í‡úÍüLœ0 ÞáÜ4Ü ."Diagnostic Service Hostrunning"WdiServiceHost/40** 0äù‡úÍ S—ÞÅ>  s!|@€€äù‡úÍüL0 ÞáÜ4Ü (Network List Servicerunningnetprofm/4 Wi **(ž0L¨ˆúÍ S—ÞÅ>  }!|@€€L¨ˆúÍüLž0 ÞáÜ4Ü ,Application ExperiencerunningAeLookupSvc/4of(**0Ÿ0j-iˆúÍ S—ÞÅ>  !|@€€j-iˆúÍüLŸ0 ÞáÜ4Ü , Diagnostic System Hostrunning WdiSystemHost/4Í0**( 0€ ˆúÍ S—ÞÅ>  !|@€€€ ˆúÍü¸ 0 ÞáÜ4Ü .Remote Desktop ServicesrunningTermService/4n(**@¡0Á?‰úÍ S—ÞÅ>  “!|@€€Á?‰úÍü¸¡0 ÞáÜ4Ü DPortable Device Enumerator ServicerunningWPDBusEnum/4dow@**¢0h#B‰úÍ S—ÞÅ>  a!|@€€h#B‰úÍüL¢0 ÞáÜ4Ü Windows TimerunningW32Time/4Í**£0¨nŽ‰úÍ S—ÞÅ>  m!|@€€¨nŽ‰úÍüL£0 ÞáÜ4Ü  Windows DefenderrunningWinDefend/4**@¤0ŠYŠúÍ ¼"_Ý&  < :!%€ŠYŠúͨü¤0Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ï…ý>»dï…ý>Á#å×­ä5TñAÿÿƒG=TMP_EVENT_TIME_SOURCE_REACHABLEAÿÿ+*= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)ra@**¥0Þ„ŠúÍ S—ÞÅ>  m!|@€€Þ„ŠúÍü¸¥0 ÞáÜ4Ü  Windows DefenderstoppedWinDefend/1&**`¦0ªÒ‹úÍ S—ÞÅ>  ±!|@€€ªÒ‹úÍüL¦0 ÞáÜ4Ü P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4y Au`**§0(_‰ŒúÍ S—ÞÅ>  i!|@€€(_‰ŒúÍüL§0 ÞáÜ4Ü  Computer BrowserrunningBrowser/4**0¨0 FòŒúÍ S—ÞÅ>  ‡!|@€€ FòŒúÍüL¨0 ÞáÜ4Ü 8Remote Desktop ConfigurationrunningSessionEnv/40**(©02EúÍ S—ÞÅ>  !|@€€2EúÍü¸©0 ÞáÜ4Ü .Certificate PropagationrunningCertPropSvc/4Ü(**`ª06 $úÍ S—ÞÅ>  ³!|@€€6 $úÍüLª0 ÞáÜ4Ü `Remote Desktop Services UserMode Port RedirectorrunningUmRdpService/4e S`**8«0h‹Ë’úÍ ¼"_Ý&  < 4!#€h‹Ë’úͨŒ«0Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ÌÂÕCn&ÌÂÕu»Þj—\„ꃉAÿÿ}A=TMP_EVENT_TIME_SOURCE_CHOSENAÿÿ+*= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)r8**x¬0µéÏúÍ S—ÞÅ>  Ï!|@€€µéÏúÍüL¬0 ÞáÜ4Ü XBMicrosoft .NET Framework NGEN v4.0.30319_X86runningBclr_optimization_v4.0.30319_32/4dx**x­0µéÏúÍ S—ÞÅ>  Ï!|@€€µéÏúÍüL­0 ÞáÜ4Ü XBMicrosoft .NET Framework NGEN v4.0.30319_X86stoppedBclr_optimization_v4.0.30319_32/1 x**x®0ôÀCÐúÍ S—ÞÅ>  Ï!|@€€ôÀCÐúÍüL®0 ÞáÜ4Ü XBMicrosoft .NET Framework NGEN v4.0.30319_X64runningBclr_optimization_v4.0.30319_64/4x**x¯0ôÀCÐúÍ S—ÞÅ>  Ï!|@€€ôÀCÐúÍüL¯0 ÞáÜ4Ü XBMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBclr_optimization_v4.0.30319_64/1x**0°0>›ÉÐúÍ S—ÞÅ>  !|@€€>›ÉÐúÍüL°0 ÞáÜ4Ü 4Windows Font Cache ServicerunningFontCache/4/10**±0F°4ÑúÍ S—ÞÅ>  m!|@€€F°4ÑúÍüL±0 ÞáÜ4Ü &Software Protectionrunningsppsvc/4er**²0º“ËÑúÍ S—ÞÅ>  e!|@€€º“ËÑúÍüL²0 ÞáÜ4Ü Security Centerrunningwscsvc/4**@³0b¸ÒúÍ S—ÞÅ>  “!|@€€b¸ÒúÍüL³0 ÞáÜ4Ü DPortable Device Enumerator ServicestoppedWPDBusEnum/1 0@**´0üj3ÙúÍ S—ÞÅ>  e!|@€€üj3ÙúÍü,´0 ÞáÜ4Ü Windows SearchrunningWSearch/4**¸µ0ò>uÞúÍ ¼"_Ý&  4 ·!MY ò>uÞúÍÔl µ0Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLChû{ÝLCh´y…ÓÒmÖ»Í dÿÿXAÿÿ*=TSId Aÿÿ%*=UserSid —*gy TJ¶‡(~Z¸**¶0r€áúÍ S—ÞÅ>  g!|@€€r€áúÍüL¶0 ÞáÜ4Ü Windows Updaterunningwuauserv/4**@·0Ž¯½ïúÍ ¼"_Ý& : !߀Ž¯½ïúÍúX*ÉwdE¸@Ÿïô·0—*gy TJ¶‡(~ZMicrosoft-Windows-GroupPolicyú´¡®Ñ—òE¦LMiÿý’ÉSystem MÚ#é~«MÚ#á÷®€ô 0à[÷ÚŠÿÿ~Aÿÿ/*!= SupportInfo1 Aÿÿ/*!= SupportInfo2 Aÿÿ3*%=ProcessingMode AÿÿO*A=ProcessingTimeInMilliseconds Aÿÿ#*=DCName AÿÿK*==NumberOfGroupPolicyObjects :[ \\Controller.shieldbase.localTP @**(¸0Þ.-ûÍ S—ÞÅ>  y!|@€€Þ.-ûÍü¬¸0 ÞáÜ4Ü 4Multimedia Class SchedulerstoppedMMCSS/1in/(**¹0£pûÍ S—ÞÅ>  i!|@€€£pûÍü¸¹0 ÞáÜ4Ü "CNG Key IsolationrunningKeyIso/4N76**@º02_zûÍ S—ÞÅ>  “!|@€€2_zûÍü¸º0 ÞáÜ4Ü DPortable Device Enumerator ServicerunningWPDBusEnum/431@**»0PŠ†ûÍ S—ÞÅ>  m!|@€€PŠ†ûÍüT »0 ÞáÜ4Ü &Network ConnectionsrunningNetman/42**¼0ª «ûÍ S—ÞÅ>  _!|@€€ª «ûÍüT ¼0 ÞáÜ4Ü WebClientrunningWebClient/4**(½0œ ûÍ S—ÞÅ>  y!|@€€œ ûÍü,½0 ÞáÜ4Ü 4Multimedia Class SchedulerrunningMMCSS/4Í(**8¾0RáûÍ S—ÞÅ>  !|@€€RáûÍü,¾0 ÞáÜ4Ü 2&Windows Modules Installerrunning&TrustedInstaller/48** ¿0¨L’IûÍ S—ÞÅ>  w!|@€€¨L’IûÍü¿0 ÞáÜ4Ü .Application InformationrunningAppinfo/4e **À0þ¥™LûÍ S—ÞÅ>  e!|@€€þ¥™LûÍü¸À0 ÞáÜ4Ü $ Volume Shadow Copyrunning VSS/4,**@Á0 u&MûÍ S—ÞÅ>  “!|@€€ u&MûÍüÁ0 ÞáÜ4Ü NMicrosoft Software Shadow Copy Providerrunningswprv/4@**@Â0˜=[ûÍ S—ÞÅ>  “!|@€€˜=[ûÍüÂ0 ÞáÜ4Ü DPortable Device Enumerator ServicestoppedWPDBusEnum/1@@**Ã0tT‰eûÍ S—ÞÅ>  i!|@€€tT‰eûÍüÃ0 ÞáÜ4Ü BCWipe servicestoppedBCWipeSvc/1**PÄ0^#ûÍ ÿÆaUîŽÿÆaUµÈø™¸ò—¸ãŸ°¿A³Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ+øAÿÿ=USER32Az › ÷  fAÿÿ‘ º è ÿÿSystemÿÿHFWKS-WIN764BITB.shieldbase.localAÿÿ¯ Ò ! ¯!2€€^#ûÍÄ0—*gy TJ¶‡(~Z FÓìl‘FÓì%g>¶9×{p(é4ÿÿ( * c (C:\Windows\system32\winlogon.exe (WKS-WIN764BITB)WKS-WIN764BITBNo title for this reason could be found0x500ffrestartSHIELDBASE\rsydow(ÿdbaP**HÅ0 ƒ8ûÍ ¼"_Ý&  4 ;!NZ ƒ8û͘&­ý®@<qp:Ü[Ôl Å0Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLChû{—*gy TJ¶‡(~ZH**(Æ0ÂoûÍ ¼"_Ý&  J !€€ÂoûÍô Æ0Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem Ý&ÎîO82 Ð(**Ç0 .ŠûÍ S—ÞÅ>  g!|@€€ .ŠûÍüÇ0 ÞáÜ4Ü Windows Updatestoppedwuauserv/1&**È0ÈÉ“ûÍ S—ÞÅ>  k!|@€€ÈÉ“ûÍüÈ0 ÞáÜ4Ü &Group Policy Clientstoppedgpsvc/11C‘Ì£**°É0‹TžûÍ rBøëÖ—ÆrBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAz › ÷  fAÿÿ‘ º è ÿÿSystemÿÿHFWKS-WIN764BITB.shieldbase.localAÿÿ¯ Ò ! +!v€€‹TžûÍÉ0 FÓìl‘÷ÿÿÿe°**Ê0ÔÃûÍ S—ÞÅ>  i!|@€€ÔÃûÍüÊ0 ÞáÜ4Ü McAfee McShieldstoppedMcShield/1 ÞáÜ**(Ë0R2žûÍ S—ÞÅ>  !|@€€R2žûÍü¸Ë0 ÞáÜ4Ü .Certificate PropagationstoppedCertPropSvc/1(**0Ì0þ‹QžûÍ S—ÞÅ>  !|@€€þ‹QžûÍü¸Ì0 ÞáÜ4Ü , Diagnostic System Hoststopped WdiSystemHost/140**0Í0zõ_žûÍ S—ÞÅ>  …!|@€€zõ_žûÍü¸Í0 ÞáÜ4Ü ."Diagnostic Service Hoststopped"WdiServiceHost/10**0Î0àÅpžûÍ S—ÞÅ>  !|@€€àÅpžûÍü¸Î0 ÞáÜ4Ü 4Windows Font Cache ServicestoppedFontCache/1Web 0**ˆÏ0¬f’žûÍ ¼"_Ý&  > o!?gÇ ¬f’žûÍVk:üþL˜Ï0Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem £JA-K¡£JA-un$áke [hg#@ÿÿ4Aÿÿ'*=DwordVal ˆ**0Ð0TœžûÍ ¼"_Ý&  : !Euà TœžûÍVk:üþLŒÐ0Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem £JA-K¡oppe0** Ñ0>ižžûÍ S—ÞÅ>  s!|@€€>ižžûÍü¸Ñ0 ÞáÜ4Ü 2 Diagnostic Policy Servicestopped DPS/1ng **Ò0D¨ÕžûÍ S—ÞÅ>  Y!|@€€D¨ÕžûÍü¸Ò0 ÞáÜ4Ü DHCP ClientstoppedDhcp/1Mult**(Ó0ÆPŸûÍ S—ÞÅ>  {!|@€€ÆPŸûÍü¸Ó0 ÞáÜ4Ü & McAfee Task Managerstopped McTaskManager/1ult(**øÔ0P&DŸûÍ S—ÞÅ>  O!|@€€P&DŸûÍü¸Ô0 ÞáÜ4Ü  PowerstoppedPower/1ø**Õ0ÌRŸûÍ S—ÞÅ>  m!|@€€ÌRŸûÍü¸Õ0 ÞáÜ4Ü "Windows Event Logstoppedeventlog/1** Ö0ÚûlŸûÍ S—ÞÅ>  q!|@€€ÚûlŸûÍü¸Ö0 ÞáÜ4Ü (User Profile ServicestoppedProfSvc/1 **P×0ÚûlŸûÍ S—ÞÅ>  §!|@€€ÚûlŸûÍü¸×0 ÞáÜ4Ü P"McAfee Host Intrusion Prevention Servicestopped"enterceptAgent/1JP** Ø0ÚûlŸûÍ S—ÞÅ>  w!|@€€ÚûlŸûÍü¸Ø0 ÞáÜ4Ü ,Cryptographic ServicesstoppedCryptSvc/1 **8Ù0cáûÍ rBøëÖ— ‹!y€€cáûÍÙ0 FÓìl‘h6.01.7601Service Pack 1Multiprocessor Free175148**èÚ0cáûÍ rBøëÖ— ;!u€€cáûÍÚ0 FÓìl‘Ü# è**˜Û0cáûÍ rBøëÖ— ë!}€€cáûÍÛ0 FÓìl‘H€6560300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local˜**0Ü0ÄboŸûÍ Ü¸,Æ  2 !b*N€ÄboŸûÍpÞ^d„Ü0Microsoft-Windows-UserPnpP ô–1~  e!|@€€ÄboŸûÍü¸Ý0 ÞáÜ4Ü Plug and PlaystoppedPlugPlay/1**0Þ0jÍŸûÍ S—ÞÅ>  !|@€€jÍŸûÍü¸Þ0 ÞáÜ4Ü 8McAfee Firewall Core Servicestoppedmfefire/1Í0**@ß0TwÏŸûÍ S—ÞÅ>  “!|@€€TwÏŸûÍü¸ß0 ÞáÜ4Ü NMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`à0TwÏŸûÍ S—ÞÅ>  ³!|@€€TwÏŸûÍü¸à0 ÞáÜ4Ü `Remote Desktop Services UserMode Port RedirectorstoppedUmRdpService/1vic`**á0TwÏŸûÍ S—ÞÅ>  m!|@€€TwÏŸûÍü¸á0 ÞáÜ4Ü &Software Protectionstoppedsppsvc/1le**@â0¬ÖŸûÍ S—ÞÅ>  ‘!|@€€¬ÖŸûÍü¸â0 ÞáÜ4Ü LDesktop Window Manager Session ManagerstoppedUxSms/1\Jet@** ã0 óŸûÍ S—ÞÅ>  q!|@€€ óŸûÍü¸ã0 ÞáÜ4Ü (VMware Tools ServicestoppedVMTools/1-0 **0ä0²ýŸûÍ S—ÞÅ>  ƒ!|@€€²ýŸûÍü¸ä0 ÞáÜ4Ü *$VMware Upgrade Helperstopped$VMUpgradeHelper/10**0å0²ýŸûÍ S—ÞÅ>  ‡!|@€€²ýŸûÍü¸å0 ÞáÜ4Ü @Distributed Link Tracking ClientstoppedTrkWks/10**(æ0pO ûÍ S—ÞÅ>  !|@€€pO ûÍü¸æ0 ÞáÜ4Ü .Remote Desktop ServicesstoppedTermService/1(**@ç0š× ûÍ ¼"_Ý&  @ '!€š× ûÍpÞ^GK¨d ç0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <ÕGT°p ûÍÀ† ûÍ0@**è0š× ûÍ S—ÞÅ>  a!|@€€š× ûÍü¸è0 ÞáÜ4Ü Windows TimestoppedW32Time/1**8é0îÁD ûÍ S—ÞÅ>  !|@€€îÁD ûÍü¸é0 ÞáÜ4Ü DWindows Management InstrumentationstoppedWinmgmt/18**8ê0¢†I ûÍ S—ÞÅ>  !|@€€¢†I ûÍü¸ê0 ÞáÜ4Ü 2&Windows Modules Installerstopped&TrustedInstaller/1408**ë0drU ûÍ S—ÞÅ>  e!|@€€drU ûÍü¸ë0 ÞáÜ4Ü $ Volume Shadow Copystopped VSS/1$**ì0r™\ ûÍ S—ÞÅ>  e!|@€€r™\ ûÍü¸ì0 ÞáÜ4Ü Security Centerstoppedwscsvc/1$**0í0ì·¡ûÍ ¼"_Ý& < '!gm€ì·¡ûÍpÞ^œ í0Microsoft-Windows-Kernel-Power:;3 ÂD¬^w" 7Ö´System ³ nÛ0**Hî0~Ÿ£ûÍ S—ÞÅ>  ›!|@€€~Ÿ£ûÍü¸î0 ÞáÜ4Ü TMcAfee Validation Trust Protection Servicestoppedmfevtp/1ITH**(ï0¶¬»£ûÍ ¼"_Ý& @ ! €¶¬»£ûÍpÞ^(ï0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System  %†˜)¶¬»£ûÍ(**hð0ê칺ûÍ ¼"_Ý&  @ I! €ê칺ûÍpÞ^ð0Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System /«w‰µ±?EÀw¤ºûÍft.h**hñ0 ½ûÍ ¼"_Ý&  > M!€ ½ûÍXÝ^ñ0Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7«FileInfo€¶ÊíðÊ h**hò07tÈûÍ ¼"_Ý&  P ;!€7tÈûÍpÞ^4ò0Microsoft-Windows-Kernel-Processor-PowerŸägQþŸN´o)HÌ`'System ÿJ¶–¥00h**ó0¦¦±ÞûÍ S—ÞÅ>  e!|@€€¦¦±ÞûÍü@ó0 ÞáÜ4Ü Plug and PlayrunningPlugPlay/4**0ô0¦¦±ÞûÍ Ü¸,Æ  2 !b*N€¦¦±ÞûÍpÞ^dtô0Microsoft-Windows-UserPnpP ô–1~  O!|@€€:Ü(ßûÍü@õ0 ÞáÜ4Ü  PowerrunningPower/4ø**`ö06›©ßûÍ ¼"_Ý&  > G!€6›©ßûÍpÞ^,ö0Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7« luafv€x‰ÈïÊ`**0÷0šã3àûÍ S—ÞÅ>  ‡!|@€€šã3àûÍü@÷0 ÞáÜ4Ü 8DCOM Server Process LauncherrunningDcomLaunch/40**(ø0: ZàûÍ S—ÞÅ>  y!|@€€: ZàûÍü@ø0 ÞáÜ4Ü &RPC Endpoint MapperrunningRpcEptMapper/4@0(**(ù0B¸‰àûÍ S—ÞÅ>  {!|@€€B¸‰àûÍü@ù0 ÞáÜ4Ü 6Remote Procedure Call (RPC)runningRpcSs/4A0(**ú0¶^sáûÍ S—ÞÅ>  m!|@€€¶^sáûÍüPú0 ÞáÜ4Ü "Windows Event Logrunningeventlog/4**(û0&—¬áûÍ S—ÞÅ>  y!|@€€&—¬áûÍü8û0 ÞáÜ4Ü 4Multimedia Class SchedulerrunningMMCSS/4A-«Ö(**Hü0|¸/âûÍ S—ÞÅ>  Ÿ!|@€€|¸/âûÍü8ü0 ÞáÜ4Ü <.Windows Audio Endpoint Builderrunning.AudioEndpointBuilder/4SH**ý0òh@âûÍ S—ÞÅ>  e!|@€€òh@âûÍü(ý0 ÞáÜ4Ü Windows AudiorunningAudioSrv/4**þ0IJ«âûÍ S—ÞÅ>  S!|@€€Ä²«âûÍü8þ0 ÞáÜ4Ü  ThemesrunningThemes/4E0** ÿ0,<µâûÍ S—ÞÅ>  q!|@€€,<µâûÍü(ÿ0 ÞáÜ4Ü (User Profile ServicerunningProfSvc/4 Ên **1ª›õâûÍ S—ÞÅ>  k!|@€€ª›õâûÍü81 ÞáÜ4Ü &Group Policy Clientrunninggpsvc/4**1ð^ãûÍ S—ÞÅ>  i!|@€€ð^ãûÍü(1 ÞáÜ4Ü Offline FilesrunningCscService/4H0** 1RpKãûÍ S—ÞÅ>  s!|@€€RpKãûÍü(1 ÞáÜ4Ü "COM+ Event SystemrunningEventSystem/4win **01Š hãûÍ S—ÞÅ>  …!|@€€Š hãûÍü(1 ÞáÜ4Ü BSystem Event Notification ServicerunningSENS/40**@1½xãûÍ S—ÞÅ>  ‘!|@€€½xãûÍü(1 ÞáÜ4Ü LDesktop Window Manager Session ManagerrunningUxSms/4€€#Ñ@** 1½xãûÍ S—ÞÅ>  w!|@€€½xãûÍü81 ÞáÜ4Ü 2Security Accounts ManagerrunningSamSs/4 **`1ŒCÀãûÍ S—ÞÅ>  µ!|@€€ŒCÀãûÍü81 ÞáÜ4Ü lWindows Driver Foundation - User-mode Driver Frameworkrunningwudfsvc/4 H`**(1†ËèãûÍ S—ÞÅ>  !|@€€†ËèãûÍü81 ÞáÜ4Ü > Network Store Interface Servicerunning nsi/4Ü(** 1ŽzäûÍ S—ÞÅ>  s!|@€€ŽzäûÍü81 ÞáÜ4Ü *TCP/IP NetBIOS Helperrunninglmhosts/404 ** 1l´2äûÍ S—ÞÅ>  _!|@€€l´2äûÍü8 1 ÞáÜ4Ü DNS ClientrunningDnscache/4**( 1Ô=<äûÍ ¼"_Ý&  : !Dtà Ô=<äûÍpÞ^0à^D 1Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem Ý&ÎîO8(**( 1ÜìkäûÍ ¼"_Ý&  > !>fÇ ÜìkäûÍXÝ^0à^X 1Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem Ý&ÎîO8m(** 16OnäûÍ S—ÞÅ>  Y!|@€€6OnäûÍü8 1 ÞáÜ4Ü DHCP ClientrunningDhcp/4 **8 1nëŠäûÍ S—ÞÅ>  ‹!|@€€nëŠäûÍü8 1 ÞáÜ4Ü 0&Shell Hardware Detectionrunning&ShellHWDetection/4and8**1T[hèûÍ S—ÞÅ>  g!|@€€T[hèûÍü81 ÞáÜ4Ü Task SchedulerrunningSchedule/4F**1nù±ëûÍ S—ÞÅ>  c!|@€€nù±ëûÍü81 ÞáÜ4Ü Print SpoolerrunningSpooler/4**1J)¥ìûÍ S—ÞÅ>  k!|@€€J)¥ìûÍü81 ÞáÜ4Ü * Base Filtering Enginerunning BFE/4Pro**1H~íûÍ S—ÞÅ>  g!|@€€H~íûÍüD1 ÞáÜ4Ü  Windows FirewallrunningMpsSvc/4** 1Žâ¡íûÍ S—ÞÅ>  s!|@€€Žâ¡íûÍüD1 ÞáÜ4Ü (Workstationrunning(LanmanWorkstation/4 **1¤¸ØíûÍ S—ÞÅ>  [!|@€€¤¸ØíûÍüD1 ÞáÜ4Ü NetlogonrunningNetlogon/4Í$** 1´CiïûÍ S—ÞÅ>  s!|@€€´CiïûÍü81 ÞáÜ4Ü 2 Diagnostic Policy Servicerunning DPS/4 ** 1БwïûÍ S—ÞÅ>  w!|@€€Ð‘wïûÍüD1 ÞáÜ4Ü ,Cryptographic ServicesrunningCryptSvc/4 **P1¬ÍòûÍ S—ÞÅ>  §!|@€€¬ÍòûÍü(1 ÞáÜ4Ü P"McAfee Host Intrusion Prevention Servicerunning"enterceptAgent/4P**x1N†rúûÍ S—ÞÅ>  Ï!|@€€N†rúûÍü€1 ÞáÜ4Ü JPMcAfee SiteAdvisor Enterprise ServicerunningPMcAfee SiteAdvisor Enterprise Service/4x**81VbÓûûÍ S—ÞÅ>  ‰!|@€€VbÓûûÍü€1 ÞáÜ4Ü 0$McAfee Framework Servicerunning$McAfeeFramework/48**H1ö´*ýûÍ S—ÞÅ>  ›!|@€€ö´*ýûÍü€1 ÞáÜ4Ü TMcAfee Validation Trust Protection Servicerunningmfevtp/4sktH**01XÆ\ýûÍ ¼"_Ý&  P !É€XÆ\ýûÍ@1Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&ÎîO8de H0**@1XÆ\ýûÍ S—ÞÅ>  •!|@€€XÆ\ýûÍüP1 ÞáÜ4Ü NProgram Compatibility Assistant ServicerunningPcaSvc/4B@**01âB}þûÍ S—ÞÅ>  ‡!|@€€âB}þûÍüP1 ÞáÜ4Ü @Distributed Link Tracking ClientrunningTrkWks/4t0**(1DT¯þûÍ S—ÞÅ>  {!|@€€DT¯þûÍüP1 ÞáÜ4Ü 4Network Location AwarenessrunningNlaSvc/4scs(** 1ÄêGÿûÍ S—ÞÅ>  q!|@€€ÄêGÿûÍüP1 ÞáÜ4Ü (VMware Tools ServicerunningVMTools/4  S—ÞÅ>  |@€€HÂ_ÿûÍüP1 ÞáÜ4Ü ElfChnkÄ1Ô1€þxÿ¬‡Þ]Þµfö‹ÌÁ³=§” öзt?øF‚M+“L‡ý û&AVÓ[SU;ß’æ„&d**À1HÂ_ÿûÍ S—ÞÅ&S—ÞÅB•”"ó[¥ˆå›AMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿßøoTSystemAÿÿ2ñ{ProviderF=K•NameService Control ManagerF†)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}í`ÖEventSourceNameService Control ManagerAMSõaEventID't†)Ú Qualifiers "§ Version ÐdÎLevelõE{Task ®Opcode$?jÏKeywordsAÿÿPj;Ž TimeCreated'“j<{ SystemTime .ÁF EventRecordID Aÿÿ…ö¢ò Correlation\F ñ ActivityIDFS5ÅRelatedActivityIDAÿÿm‚¸µ ExecutionHF§ × ProcessIDÌõ…9ThreadID ÿÿ.öƒaChannelSystemÿÿb+j;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB”í .Security·fLUserID ! `!|@€€HÂ_ÿûÍüP1 ÞáÜ4dÞáÜ4v¢ä“ú*…M^pâ»ÿÿ¯‹D‚ EventDataAÿÿ5³§ŠoData=param1 Aÿÿ#³=param2 ÿÿ  !¸Binary DWindows Management InstrumentationrunningWinmgmt/404À**è 1²îûûÍ ¼"_Ýæ ¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  @ ­!€²îûûÍ8` 1Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õý z <ÕÐ!ö{ôA²»Äjÿÿ^‹Aÿÿ%³=NewTime Aÿÿ%³=OldTime ð•âûûÍDàÿûÍee Vè**(!1®@oüûÍ S—ÞÅ& {!|@€€®@oüûÍüP!1 ÞáÜ4d& McAfee Task Managerrunning McTaskManager/4cro(**0"1ô0ÄýûÍ S—ÞÅ& !|@€€ô0ÄýûÍüP"1 ÞáÜ4d8McAfee Firewall Core Servicerunningmfefire/4@0**0#1ðïDþûÍ S—ÞÅ& ƒ!|@€€ðïDþûÍüP#1 ÞáÜ4d*$VMware Upgrade Helperrunning$VMUpgradeHelper/4 M0**$1ô]õþûÍ S—ÞÅ& ]!|@€€ô]õþûÍüP$1 ÞáÜ4dIP Helperrunningiphlpsvc/4St**%1ži£ÿûÍ S—ÞÅ& _!|@€€ži£ÿûÍüD%1 ÞáÜ4d ServerrunningLanmanServer/4**&1i]üÍ S—ÞÅ& i!|@€€i]üÍü(&1 ÞáÜ4dMcAfee McShieldrunningMcShield/4***0'1ü¯üÍ S—ÞÅ& …!|@€€ü¯üÍü@'1 ÞáÜ4d."Diagnostic Service Hostrunning"WdiServiceHost/400** (1ÌÂüÍ S—ÞÅ& s!|@€€ÌÂüÍü@(1 ÞáÜ4d(Network List Servicerunningnetprofm/4¶–¥ **()1&%üÍ S—ÞÅ& !|@€€&%üÍü@)1 ÞáÜ4d.Remote Desktop ServicesrunningTermService/4n(**0*1Ü yüÍ S—ÞÅ& !|@€€Ü yüÍü€*1 ÞáÜ4d, Diagnostic System Hostrunning WdiSystemHost/40**@+1FáÚüÍ S—ÞÅ& “!|@€€FáÚüÍü€+1 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4n/@**,1öd`üÍ S—ÞÅ& a!|@€€öd`üÍüð,1 ÞáÜ4dWindows TimerunningW32Time/4m**-1²Ø”üÍ S—ÞÅ& m!|@€€²Ø”üÍü€-1 ÞáÜ4d Windows DefenderrunningWinDefend/4**`.1Êå#üÍ S—ÞÅ& ±!|@€€Êå#üÍü€.1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4win`**@/1†YXüÍ ¼"_Ýæ   < :!%€†YXüÍÌ| /1Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ï…ý>Óï…ý>Á#å×­ä5TñAÿÿƒ‹G=TMP_EVENT_TIME_SOURCE_REACHABLEAÿÿ+³= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)**@**001^›üÍ S—ÞÅ& ‡!|@€€^›üÍü€01 ÞáÜ4d8Remote Desktop ConfigurationrunningSessionEnv/40**11 hÈüÍ S—ÞÅ& m!|@€€ hÈüÍü€11 ÞáÜ4d Windows DefenderstoppedWinDefend/1s **(21fÊÊüÍ S—ÞÅ& !|@€€fÊÊüÍü€21 ÞáÜ4d.Certificate PropagationrunningCertPropSvc/4p(**31Âc%üÍ S—ÞÅ& i!|@€€Âc%üÍü€31 ÞáÜ4d Computer BrowserrunningBrowser/4te P**`41ß üÍ S—ÞÅ& ³!|@€€ß üÍüð41 ÞáÜ4d`Remote Desktop Services UserMode Port RedirectorrunningUmRdpService/44`**851öÌéüÍ ¼"_Ýæ   < 4!#€öÌéüÍÌ| 51Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ÌÂÕû&æ ÌÂÕu»Þj—\„ꃉAÿÿ}‹A=TMP_EVENT_TIME_SOURCE_CHOSENAÿÿ+³= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)S8**x61öÉYüÍ S—ÞÅ& Ï!|@€€öÉYüÍüð61 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86runningBclr_optimization_v4.0.30319_32/4x**x71öÉYüÍ S—ÞÅ& Ï!|@€€öÉYüÍüð71 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86stoppedBclr_optimization_v4.0.30319_32/1x**x81ö9>ZüÍ S—ÞÅ& Ï!|@€€ö9>ZüÍüð81 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64runningBclr_optimization_v4.0.30319_64/4x**x91ö9>ZüÍ S—ÞÅ& Ï!|@€€ö9>ZüÍüð91 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBclr_optimization_v4.0.30319_64/1x**@:1ö šZüÍ S—ÞÅ& “!|@€€ö šZüÍüð:1 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**0;1öMíZüÍ S—ÞÅ& !|@€€öMíZüÍüð;1 ÞáÜ4d4Windows Font Cache ServicerunningFontCache/40**<1ö§’[üÍ S—ÞÅ& m!|@€€ö§’[üÍüð<1 ÞáÜ4d&Software Protectionrunningsppsvc/4**=1ö1ê[üÍ S—ÞÅ& e!|@€€ö1ê[üÍüð=1 ÞáÜ4dSecurity Centerrunningwscsvc/4**>1ö¾ìbüÍ S—ÞÅ& e!|@€€ö¾ìbüÍü| >1 ÞáÜ4dWindows SearchrunningWSearch/4**?1ö#‘hüÍ S—ÞÅ& g!|@€€ö#‘hüÍü| ?1 ÞáÜ4dWindows Updaterunningwuauserv/4o**8@1öÎ6üÍ S—ÞÅ& !|@€€öÎ6üÍüÈ@1 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/4er8**(A1öÑ’üÍ S—ÞÅ& y!|@€€öÑ’üÍüÈA1 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1lm(**(B1vû1»üÍ S—ÞÅ& }!|@€€vû1»üÍü(B1 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4em(**8C1ö­ ÏüÍ S—ÞÅ& ‹!|@€€ö­ ÏüÍüœ C1 ÞáÜ4d0&Shell Hardware Detectionstopped&ShellHWDetection/1ent8**D1Çâ'ýÍ S—ÞÅ& m!|@€€Çâ'ýÍü(D1 ÞáÜ4d&Software Protectionstoppedsppsvc/1ni**(E1ÀDÿýÍ S—ÞÅ&  s!€@€€ÀDÿýÍü| E1 cÒ3U;cÒ3þœ ©™Î}²F±ôºÿÿ®‹Aÿÿ#³=param1 Aÿÿ#³=param2 Aÿÿ#³=param3 Aÿÿ#³=param4 2 Windows Modules Installerdemand startauto startTrustedInstallern(**XF1o†ÛþÍ S—ÞÅ&  ¡!€@€€o†ÛþÍü| F1 cÒ3U;2 Windows Modules Installerauto startdemand startTrustedInstaller0X**8G1[6þÍ S—ÞÅ& !|@€€[6þÍü| G1 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`H1I»ëÑþÍ S—ÞÅ& ±!|@€€I»ëÑþÍü, H1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`I1­o_Í S—ÞÅ& ±!|@€€­o_Íü$I1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8J1´°ucÍ S—ÞÅ& !|@€€´°ucÍü´ J1 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**K1&¿Í S—ÞÅ& e!|@€€&¿Íü\K1 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@L1 ³DÍ S—ÞÅ& “!|@€€ ³DÍüü L1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**0M1a‰¿‡Í S—ÞÅ& !|@€€a‰¿‡Íü¨ M1 ÞáÜ4d, Diagnostic System Hoststopped WdiSystemHost/10**N1Tw€‘Í S—ÞÅ& e!|@€€Tw€‘Íü¨ N1 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@O1\ÍüÍ S—ÞÅ& “!|@€€\ÍüÍü¨ O1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`P1‚ ™­Í S—ÞÅ& ±!|@€€‚ ™­Íü$P1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**XQ1Ý!ãÍ S—ÞÅ&  ¡!€@€€Ý!ãÍü0Q1 cÒ3U;2 Windows Modules Installerdemand startauto startTrustedInstallerX**XR1ÂLÒãÍ S—ÞÅ&  ¡!€@€€ÂLÒãÍü0R1 cÒ3U;2 Windows Modules Installerauto startdemand startTrustedInstallerX**8S1böãÍ S—ÞÅ& !|@€€böãÍü0S1 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`T1÷`IŠÍ S—ÞÅ& ±!|@€€÷`IŠÍüÌT1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`U1w`ØÍ S—ÞÅ& ±!|@€€w`ØÍü(U1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**8V1#AÒ Í S—ÞÅ& ‹!|@€€#AÒ ÍüH V1 ÞáÜ4d0&Shell Hardware Detectionrunning&ShellHWDetection/48**¸W1;}ÞÒ Í ¼"_Ýæ   4 ·!MY ;}ÞÒ Í <W1Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh[SÝLCh´y…ÓÒmÖ»Í dÿÿX‹Aÿÿ³=TSId Aÿÿ%³=UserSid —*gy TJ¶‡(~Q¸**X1­‚ØÖ Í S—ÞÅ& _!|@€€­‚ØÖ Íü0X1 ÞáÜ4dWebClientrunningWebClient/4**@Y1ï‹ëÞ Í ¼"_Ýæ  : !߀ï‹ëÞ Ím]ÅY5C´Š?¶ÛŸÇ8X„ Y1—*gy TJ¶‡(~QMicrosoft-Windows-GroupPolicyú´¡®Ñ—òE¦LMiÿý’ÉSystem MÚ#AVMÚ#á÷®€ô 0à[÷ÚŠÿÿ~‹Aÿÿ/³!= SupportInfo1 Aÿÿ/³!= SupportInfo2 Aÿÿ3³%=ProcessingMode AÿÿO³A=ProcessingTimeInMilliseconds Aÿÿ#³=DCName AÿÿK³==NumberOfGroupPolicyObjects :[ L\\Controller.shieldbase.local@**@Z1Eà Í S—ÞÅ& “!|@€€Eà Íü0Z1 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**[1ã"Tâ Í S—ÞÅ& i!|@€€ã"Tâ ÍüH [1 ÞáÜ4d"CNG Key IsolationrunningKeyIso/4**\1éKô Í S—ÞÅ& m!|@€€éKô Íü0 \1 ÞáÜ4d&Network ConnectionsrunningNetman/4**(]1}<# Í S—ÞÅ& y!|@€€}<# ÍüÐ ]1 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**`^1–Ä% Í S—ÞÅ& ±!|@€€–Ä% Íü0^1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**@_1lÆ¥' Í S—ÞÅ& “!|@€€lÆ¥' Íü0_1 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**(`13ÔÑÚ Í S—ÞÅ& y!|@€€3ÔÑÚ ÍüÜ`1 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(a1–ÿXé Í S—ÞÅ& }!|@€€–ÿXé Íü@a1 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`b1OˆÝs Í S—ÞÅ& ±!|@€€OˆÝs Íü@b1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`c1<Œè¾Í S—ÞÅ& ±!|@€€<Œè¾Íü c1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`d1,"ÿ Í S—ÞÅ& ±!|@€€,"ÿ Íü¼ d1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`e1Œœ$Í S—ÞÅ& ±!|@€€Œœ$Íüü e1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`f1Q´r Í S—ÞÅ& ±!|@€€Q´r ÍüPf1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**g1ŠB)Í S—ÞÅ& e!|@€€ŠB)Íüìg1 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@h1G‹B)Í S—ÞÅ& “!|@€€G‹B)ÍüÄ h1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**`i1æ)›)Í S—ÞÅ& ±!|@€€æ)›)ÍüÄ i1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**j1Šaâ­)Í S—ÞÅ& e!|@€€Šaâ­)ÍüÜ j1 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@k1ªK,*Í S—ÞÅ& “!|@€€ªK,*Íü<k1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`l1^ø?é+Í S—ÞÅ& ±!|@€€^ø?é+Íüô l1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`m1´vÐY5Í S—ÞÅ& ±!|@€€´vÐY5ÍüÐm1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`n1æ€é§7Í S—ÞÅ& ±!|@€€æ€é§7Íü  n1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`o1ƒÄ9(>Í S—ÞÅ& ±!|@€€ƒÄ9(>Íüto1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`p1’ÐPv@Í S—ÞÅ& ±!|@€€’ÐPv@Íü` p1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`q1öÚ2óMÍ S—ÞÅ& ±!|@€€öÚ2óMÍüà q1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`r1uIAPÍ S—ÞÅ& ±!|@€€uIAPÍüT r1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`s1X2oXÍ S—ÞÅ& ±!|@€€X2oXÍüs1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`t1nK½ZÍ S—ÞÅ& ±!|@€€nK½ZÍüÌt1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`u1Th ÇbÍ S—ÞÅ& ±!|@€€Th ÇbÍü(u1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`v1âi¶eÍ S—ÞÅ& ±!|@€€âi¶eÍüD v1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`w1Xú>orÍ S—ÞÅ& ±!|@€€Xú>orÍü w1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`x1‰X½tÍ S—ÞÅ& ±!|@€€‰X½tÍüô x1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`y1´(«Í S—ÞÅ& ±!|@€€´(«Íüxy1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`z1¾?ùƒÍ S—ÞÅ& ±!|@€€¾?ùƒÍütz1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`{1ÛY KŒÍ S—ÞÅ& ±!|@€€ÛY KŒÍüà{1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**À|1€KíÍ rBøëæ„rBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! =!}€€€KíÍ|1 FÓìL‡FÓì%g>¶9×{p(é4ÿÿ(‹ ³  N€6279860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÀ**`}1ž—8™ŽÍ S—ÞÅ& ±!|@€€ž—8™ŽÍüH}1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`~1¿&'œÍ S—ÞÅ& ±!|@€€¿&'œÍü¬~1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`1»¬=džÍ S—ÞÅ& ±!|@€€»¬=džÍüô 1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`€1O¸—¥Í S—ÞÅ& ±!|@€€O¸—¥Íü(€1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`1ÎÏå§Í S—ÞÅ& ±!|@€€ÎÏå§ÍüØ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`‚1&ÅË«Í S—ÞÅ& ±!|@€€&ÅË«ÍüÔ‚1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**Xƒ1þ¢!Ú«Í ¼"_Ýæ   P =!΀þ¢!Ú«Í@Lƒ1Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&Îîß’Ý&ÎîË|Ö Žp)·cîÿÿ‹X**(„1R›sá«Í S—ÞÅ& }!|@€€R›sá«ÍüŒ„1 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**…1ø{x¬Í S—ÞÅ& m!|@€€ø{x¬ÍüØ …1 ÞáÜ4d&Software Protectionrunningsppsvc/4**8†1ˆQf ¬Í S—ÞÅ& !|@€€ˆQf ¬ÍüØ †1 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**(‡1ÎÅ¢3¬Í S—ÞÅ& }!|@€€ÎÅ¢3¬ÍüH ‡1 ÞáÜ4d"&Protected Storagerunning&ProtectedStorage/4(**8ˆ1Üì©3¬Í S—ÞÅ& !|@€€Üì©3¬ÍüH ˆ1 ÞáÜ4dFOffice Software Protection Platformrunningosppsvc/48**0‰1#ˆ9¬Í S—ÞÅ& …!|@€€#ˆ9¬Íü´‰1 ÞáÜ4d>Windows Error Reporting ServicerunningWerSvc/40**(Š1õˆæA¬Í S—ÞÅ& y!|@€€õˆæA¬ÍüØ Š1 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**0‹1ÜÖ¬Í S—ÞÅ& …!|@€€ÜÖ¬Íü´‹1 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**Œ1?íͬÍ S—ÞÅ& m!|@€€?íͬÍü€Œ1 ÞáÜ4d&Software Protectionstoppedsppsvc/1**(1mûv:­Í S—ÞÅ& y!|@€€mûv:­Íü€1 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**XŽ1Ño­Í S—ÞÅ&  ¡!€@€€Ño­Íü\ Ž1 cÒ3U;2 Windows Modules Installerdemand startauto startTrustedInstallerX**X1Í(­Í S—ÞÅ&  ¡!€@€€Í(­Íü\ 1 cÒ3U;2 Windows Modules Installerauto startdemand startTrustedInstallerX**81YÅ!­Í S—ÞÅ& !|@€€YÅ!­Íü\ 1 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**(‘1÷š}‘­Í S—ÞÅ& }!|@€€÷š}‘­Íü\ ‘1 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`’1ðYO®Í S—ÞÅ& ±!|@€€Ã°YO®Íü¬ ’1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(“1dô'{°Í S—ÞÅ& y!|@€€dô'{°ÍüÜ“1 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(”1hʨ.±Í S—ÞÅ& y!|@€€hʨ.±Íü¼ ”1 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**`•1­¸±Í S—ÞÅ& ±!|@€€­¸±Íü` •1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`–1F4ë³Í S—ÞÅ& ±!|@€€F4ë³Íü€ –1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`—1`ËÅœ¾Í S—ÞÅ& ±!|@€€`ËÅœ¾ÍüØ —1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`˜1‹æêÀÍ S—ÞÅ& ±!|@€€‹æêÀÍü4˜1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`™1':$„ÉÍ S—ÞÅ& ±!|@€€':$„ÉÍüÔ™1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`š1ƒP9ÒËÍ S—ÞÅ& ±!|@€€ƒP9ÒËÍü¤ š1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`›1(¸ûcÔÍ S—ÞÅ& ±!|@€€(¸ûcÔÍü,›1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`œ1W,–ÏÖÍ S—ÞÅ& ±!|@€€W,–ÏÖÍüLœ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`1ÉÒŸ¹ÙÍ S—ÞÅ& ±!|@€€ÉÒŸ¹ÙÍüì 1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ž1ÖÍÜÍ S—ÞÅ& ±!|@€€ÖÍÜÍüìž1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ÿ1U•×çÍ S—ÞÅ& ±!|@€€U•×çÍü´ Ÿ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**` 1÷±%êÍ S—ÞÅ& ±!|@€€÷±%êÍüР1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**¡1[ÊÛmòÍ S—ÞÅ& e!|@€€[ÊÛmòÍüð¡1 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@¢1O›ŽnòÍ S—ÞÅ& “!|@€€O›ŽnòÍü ¢1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**£1ÃiBÚòÍ S—ÞÅ& e!|@€€ÃiBÚòÍü £1 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@¤1a,EóÍ S—ÞÅ& “!|@€€a,EóÍü ¤1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`¥1±M´BõÍ S—ÞÅ& ±!|@€€±M´BõÍü  ¥1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`¦1õ›È÷Í S—ÞÅ& ±!|@€€õ›È÷Íü¦1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`§1H»é¸Í S—ÞÅ& ±!|@€€H»é¸Íüt §1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`¨1-°Í S—ÞÅ& ±!|@€€-°Íü¨1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`©1»{Í S—ÞÅ& ±!|@€€»{Íü, ©1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ª1fn•UÍ S—ÞÅ& ±!|@€€fn•UÍü(ª1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`«1R * Í S—ÞÅ& ±!|@€€R * Íü|«1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`¬1k4xÍ S—ÞÅ& ±!|@€€k4xÍü4¬1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`­1?UDéÍ S—ÞÅ& ±!|@€€?UDéÍü ­1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`®1P¼R7Í S—ÞÅ& ±!|@€€P¼R7ÍüÀ ®1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`¯1ƒ°*ÑÍ S—ÞÅ& ±!|@€€ƒ°*ÑÍüH ¯1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`°1ÁîCÍ S—ÞÅ& ±!|@€€ÁîCÍü8°1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`±1rãå²(Í S—ÞÅ& ±!|@€€rãå²(Íü€ ±1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`²1“K+Í S—ÞÅ& ±!|@€€“K+ÍüP²1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`³1B™0Í S—ÞÅ& ±!|@€€B™0ÍüÀ³1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`´1ú~¯R2Í S—ÞÅ& ±!|@€€ú~¯R2ÍüL´1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`µ1‰4 ¸4Í S—ÞÅ& ±!|@€€‰4 ¸4Íü¬ µ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`¶1Úó97Í S—ÞÅ& ±!|@€€Úó97Íü(¶1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`·1I¦¬LAÍ S—ÞÅ& ±!|@€€I¦¬LAÍü$·1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`¸1™˜ÄšCÍ S—ÞÅ& ±!|@€€™˜ÄšCÍüP¸1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`¹1bHÊQÍ S—ÞÅ& ±!|@€€bHÊQÍüœ¹1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`º1ÐaTÍ S—ÞÅ& ±!|@€€ÐaTÍüô º1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** »1€x;WÍ rBøëæ„ ó!}€€€x;WÍ»1 FÓìL‡P€14925860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`¼1¬ã£*YÍ S—ÞÅ& ±!|@€€¬ã£*YÍü¼1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`½1Â÷/‘]Í S—ÞÅ& ±!|@€€Â÷/‘]Íü ½1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`¾1¯$j_Í S—ÞÅ& ±!|@€€¯$j_ÍüL ¾1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8¿1ÎPÈv_Í S—ÞÅ& !|@€€ÎPÈv_Íüü¿1 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**XÀ1t¹{á`Í S—ÞÅ&  ¡!€@€€t¹{á`ÍütÀ1 cÒ3U;2 Windows Modules Installerdemand startauto startTrustedInstallerX**XÁ1KŒââ`Í S—ÞÅ&  ¡!€@€€KŒââ`ÍütÁ1 cÒ3U;2 Windows Modules Installerauto startdemand startTrustedInstallerX**8Â1¬èã`Í S—ÞÅ& !|@€€¬èã`ÍütÂ1 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`Ã1Á¸aÍ S—ÞÅ& ±!|@€€Á¸aÍü¼ Ã1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ä1µŠeÍ S—ÞÅ& ±!|@€€µŠeÍü4Ä1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Å1(Û£cgÍ S—ÞÅ& ±!|@€€(Û£cgÍül Å1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Æ1q5*uÍ S—ÞÅ& ±!|@€€q5*uÍü¸ Æ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ç1Œ–BRwÍ S—ÞÅ& ±!|@€€Œ–BRwÍüÇ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`È1fu¼Í S—ÞÅ& ±!|@€€fu¼ÍüPÈ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`É1܆ „Í S—ÞÅ& ±!|@€€Ü† „Íü´ É1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ê1r€J „Í S—ÞÅ& ±!|@€€r€J „Íü Ê1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ë1ÜóX[†Í S—ÞÅ& ±!|@€€ÜóX[†Íü|Ë1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ì1k KÍ S—ÞÅ& ±!|@€€k KÍüÌ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Í1—ð$™‘Í S—ÞÅ& ±!|@€€—ð$™‘Íü¸Í1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Î1g€2ÁšÍ S—ÞÅ& ±!|@€€g€2ÁšÍüì Î1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ï1VKÍ S—ÞÅ& ±!|@€€VKÍü”Ï1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ð1¸‡’²Í S—ÞÅ& ±!|@€€¸‡’²Íü8 Ð1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ñ1‹£« Í S—ÞÅ& ±!|@€€‹£« Íü,Ñ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ò1ÿ%…¥Í S—ÞÅ& ±!|@€€ÿ%…¥ÍüÄ Ò1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ó1žAÓ§Í S—ÞÅ& ±!|@€€žAÓ§ÍüØ Ó1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ô1ïš¯Í S—ÞÅ& ±!|@€€ïš¯ÍüàÔ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4` S—ÞÅ&|@ElfChnkÅrÕ1‚2€hýÈþÎR<ÞÚS”ãö‹ÌÁ³=§” öзt?øF‚M+“|2–ãµÊ^¯.î•*0&²**àÕ1˜ÞÏ²Í S—ÞÅ&S—ÞÅB•”"ó[¥ˆå›AMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿßøoTSystemAÿÿ2ñ{ProviderF=K•NameService Control ManagerF†)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}í`ÖEventSourceNameService Control ManagerAMSõaEventID't†)Ú Qualifiers "§ Version ÐdÎLevelõE{Task ®Opcode$?jÏKeywordsAÿÿPj;Ž TimeCreated'“j<{ SystemTime .ÁF EventRecordID Aÿÿ…ö¢ò Correlation\F ñ ActivityIDFS5ÅRelatedActivityIDAÿÿm‚¸µ ExecutionHF§ × ProcessIDÌõ…9ThreadID ÿÿ.öƒaChannelSystemÿÿb+j;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB”í .Security·fLUserID ! „!|@€€˜ÞϲÍüè Õ1 ÞáÜ4dÞáÜ4v¢ä“ú*…M^pâ»ÿÿ¯‹D‚ EventDataAÿÿ5³§ŠoData=param1 Aÿÿ#³=param2 ÿÿ  !¸Binary P,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1à**`Ö1?³Å|ºÍ S—ÞÅ& ±!|@€€?³Å|ºÍü(Ö1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**×1(S9˜»Í S—ÞÅ& e!|@€€(S9˜»ÍüP×1 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@Ø1|¤™»Í S—ÞÅ& “!|@€€|¤™»ÍüØØ1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**Ù1ä¿Ç¼Í S—ÞÅ& e!|@€€ä¿Ç¼ÍüØÙ1 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@Ú1 õp¼Í S—ÞÅ& “!|@€€ õp¼Íü< Ú1 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`Û1Û¯ÞʼÍ S—ÞÅ& ±!|@€€Û¯ÞʼÍüÄÛ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Ü1þœôvÈÍ S—ÞÅ& ±!|@€€þœôvÈÍü„ Ü1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ý1X/ÅÊÍ S—ÞÅ& ±!|@€€X/ÅÊÍüè Ý1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`Þ1ý¦ÔÍ S—ÞÅ& ±!|@€€ý¦ÔÍüô Þ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ß1V!_ÖÍ S—ÞÅ& ±!|@€€V!_ÖÍü ß1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`à1Õ|øÙÍ S—ÞÅ& ±!|@€€Õ|øÙÍü¸à1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`á1[ (FÜÍ S—ÞÅ& ±!|@€€[ (FÜÍü´á1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`â1¶U)ãÍ S—ÞÅ& ±!|@€€¶U)ãÍü| â1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ã1÷mwåÍ S—ÞÅ& ±!|@€€÷mwåÍü´ã1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ä142ÈòÍ S—ÞÅ& ±!|@€€42ÈòÍüä1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`å1‰wákôÍ S—ÞÅ& ±!|@€€‰wákôÍüÌ å1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`æ1t«zÿÍ S—ÞÅ& ±!|@€€t«zÿÍü˜æ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ç1ŠkÍ S—ÞÅ& ±!|@€€ŠkÍüX ç1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`è1x7Í S—ÞÅ& ±!|@€€x7Íü è1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`é1~ƒOjÍ S—ÞÅ& ±!|@€€~ƒOjÍüÈé1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ê1Mì p Í S—ÞÅ& ±!|@€€Mì p Íü4ê1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ë1QÜ(¾ Í S—ÞÅ& ±!|@€€QÜ(¾ ÍüØë1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ì1Y‰¡QÍ S—ÞÅ& ±!|@€€Y‰¡QÍü$ì1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8í1_.±Í S—ÞÅ& !|@€€_.±ÍüØí1 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**(î1W< Í S—ÞÅ&  s!€@€€W< Íü¸ î1 cÒ3•*cÒ3þœ ©™Î}²F±ôºÿÿ®‹Aÿÿ#³=param1 Aÿÿ#³=param2 Aÿÿ#³=param3 Aÿÿ#³=param4 2 Windows Modules Installerdemand startauto startTrustedInstaller(**Xï1*Ã!Í S—ÞÅ&  ¡!€@€€*Ã!Íü¸ ï1 cÒ3•*2 Windows Modules Installerauto startdemand startTrustedInstallerX**8ð1ü6Å!Í S—ÞÅ& !|@€€ü6Å!Íü¸ ð1 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`ñ1>}\ÕÍ S—ÞÅ& ±!|@€€>}\ÕÍüìñ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**Èò1€€B Í rBøë0rBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! ?!}€€€€B Íò1 FÓì|2FÓì%g>¶9×{p(é4ÿÿ(‹ ³  P€23559860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÈ**`ó1·'=† Í S—ÞÅ& ±!|@€€·'=† Íü4ó1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ô1ó\UÔ"Í S—ÞÅ& ±!|@€€ó\UÔ"Íüü ô1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`õ1Ú8¹ü'Í S—ÞÅ& ±!|@€€Ú8¹ü'Íü¤ õ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ö1HÏJ*Í S—ÞÅ& ±!|@€€HÏJ*ÍüØö1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`÷1)ÓiÍ-Í S—ÞÅ& ±!|@€€)ÓiÍ-Íü¨÷1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ø14ƒ0Í S—ÞÅ& ±!|@€€4ƒ0Íü| ø1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ù1’ˆ=ž<Í S—ÞÅ& ±!|@€€’ˆ=ž<Íü° ù1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ú1£HÆAÍ S—ÞÅ& ±!|@€€£HÆAÍü  ú1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`û1ýÚÛEÍ S—ÞÅ& ±!|@€€ýÚÛEÍü4 û1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ü1§óOGÍ S—ÞÅ& ±!|@€€§óOGÍü¬ü1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ý1Ëüà=TÍ S—ÞÅ& ±!|@€€Ëüà=TÍüÔý1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`þ1tÝú‹VÍ S—ÞÅ& ±!|@€€tÝú‹VÍüØþ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ÿ10Q;…aÍ S—ÞÅ& ±!|@€€0Q;…aÍüÿ1 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`2V MÍ S—ÞÅ&  ¥!€@€€¹N> MÍü€:2 cÒ3•*NBackground Intelligent Transfer Servicedemand startauto startBITS`**;2UÍìMÍ S—ÞÅ& e!|@€€UÍìMÍü˜;2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@<2ë íMÍ S—ÞÅ& “!|@€€ë íMÍü <2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**=2wiYNÍ S—ÞÅ& e!|@€€wiYNÍü =2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@>2L!±ÄNÍ S—ÞÅ& “!|@€€L!±ÄNÍüd>2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`?2µbìVOÍ S—ÞÅ& ±!|@€€µbìVOÍü`?2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`@2?T$#RÍ S—ÞÅ& ±!|@€€?T$#RÍü(@2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`A2ò™:qTÍ S—ÞÅ& ±!|@€€ò™:qTÍüA2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`B2ïjˆUÍ S—ÞÅ&  ¥!€@€€ïjˆUÍü B2 cÒ3•*NBackground Intelligent Transfer Serviceauto startdemand startBITS`**C2úNgÍ S—ÞÅ& e!|@€€úNgÍü C2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@D2·ß gÍ S—ÞÅ& “!|@€€·ß gÍü°D2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**(E2(€=gÍ S—ÞÅ& }!|@€€(€=gÍü E2 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**F2 ÅâQgÍ S—ÞÅ& o!|@€€ ÅâQgÍü F2 ÞáÜ4d"Windows Installerrunningmsiserver/4**G2õ )¾gÍ S—ÞÅ& e!|@€€õ )¾gÍüG2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**xH2ê($hÍ S—ÞÅ& Ï!|@€€ê($hÍüÜH2 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64runningBclr_optimization_v4.0.30319_64/4x**@I2íS‘)hÍ S—ÞÅ& “!|@€€íS‘)hÍüI2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**xJ2¶9ARhÍ S—ÞÅ& Ï!|@€€¶9ARhÍüÜJ2 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86runningBclr_optimization_v4.0.30319_32/4x**(K2ܾ¸¢hÍ S—ÞÅ& }!|@€€Ü¾¸¢hÍü¨K2 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**8L2Á¬L¯hÍ S—ÞÅ& !|@€€Á¬L¯hÍüÜL2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**@M2úaµhÍ ¼"_Ý^¯žu¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  J ÿ! €úaµhÍX´M2Microsoft-Windows-WindowsUpdateClientT‰Z”GÁÍJ’?@ÄT¦XSystem ðñ ñ²dðñ ñKòêr«Ø®Ý'ªô¾ÿÿ²‹Aÿÿ-³= updateTitle Aÿÿ+³= updateGuid Aÿÿ?³1=updateRevisionNumber öUpdate for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 for x64 (KB2600217)þ4mhûJ–\Þ© éFd@**`N2u ½iÍ S—ÞÅ& ±!|@€€u ½iÍüüN2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**O2T‘QÿiÍ S—ÞÅ& o!|@€€T‘QÿiÍüO2 ÞáÜ4d"Windows Installerstoppedmsiserver/1**xP2’@ùFjÍ S—ÞÅ& Ï!|@€€’@ùFjÍü”P2 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBclr_optimization_v4.0.30319_64/1x**xQ2&í’*kÍ S—ÞÅ& Ï!|@€€&í’*kÍü˜ Q2 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86stoppedBclr_optimization_v4.0.30319_32/1x**XR2Aàd,kÍ S—ÞÅ&  ¡!€@€€Aàd,kÍü˜ R2 cÒ3•*2 Windows Modules Installerdemand startauto startTrustedInstallerX**XS2iÅs.kÍ S—ÞÅ&  ¡!€@€€iÅs.kÍü˜ S2 cÒ3•*2 Windows Modules Installerauto startdemand startTrustedInstallerX**8T2qt£.kÍ S—ÞÅ& !|@€€qt£.kÍü˜ T2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`U2¡! lÍ S—ÞÅ& ±!|@€€¡! lÍüÌU2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`V2‘ýpE}Í S—ÞÅ& ±!|@€€‘ýpE}Íü<V2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`W2†‡“Í S—ÞÅ& ±!|@€€†‡“Íü W2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`X2t-t‰¨Í S—ÞÅ& ±!|@€€t-t‰¨ÍüPX2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Y2ÚvתÍ S—ÞÅ& ±!|@€€ÚvתÍülY2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** Z2€º.s²Í rBøë0 ó!}€€€º.s²ÍZ2 FÓì|2P€40833860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local ** [2€ò–²Í rBøë0 ó!}€€€ò–²Í[2 FÓì|2P€40839860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **¨\2Ä¢ËÍ S—ÞÅ& ã!…@€€Ä¢ËÍüô\2—*gy TJ¶‡(~Z YA¶&µÊYA¶&§Ÿï)Úì ÛY„ÿÿ‹Aÿÿ-³= ServiceName Aÿÿ)³= ImagePath Aÿÿ-³= ServiceType Aÿÿ)³= StartType Aÿÿ-³= AccountName "$"FResponse Servicef-response-ent.exeuser mode servicedemand startLocalSystem¨**(]2@/E£ËÍ S—ÞÅ& }!|@€€@/E£ËÍüô]2 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**x^2à|£ËÍ S—ÞÅ&  ¿!…@€€à|£ËÍüô^2 YA¶&µÊJ$MnemosyneC:\Windows\system32\Mnemosyne_x64.syskernel mode driverdemand startx**(_2ŽÊ£ËÍ S—ÞÅ& !|@€€ŽÊ£ËÍüØ_2 ÞáÜ4d"(FResponse Servicerunning(FResponse Service/4(** `2H¤ËÍ S—ÞÅ& u!|@€€H¤ËÍüØ`2 ÞáÜ4d$IPsec Policy AgentrunningPolicyAgent/4 **(a29DßÍÍ S—ÞÅ& }!|@€€9DßÍÍüa2 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`b2šrŸèÐÍ S—ÞÅ& ±!|@€€šrŸèÐÍüØb2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`c2™Œ³6ÓÍ S—ÞÅ& ±!|@€€™Œ³6ÓÍü4c2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`d2ÖÛ”ùÍ S—ÞÅ& ±!|@€€ÖÛ”ùÍüÈd2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`e24¬_ûÍ S—ÞÅ& ±!|@€€4¬_ûÍüðe2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`f2È2øÍ S—ÞÅ& ±!|@€€È2øÍü`f2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8g2MýÍ S—ÞÅ& !|@€€MýÍüD g2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**Xh2lîErÍ S—ÞÅ&  ¡!€@€€lîErÍü¤ h2 cÒ3•*2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xi2tQsÍ S—ÞÅ&  ¡!€@€€tQsÍü¤ i2 cÒ3•*2 Windows Modules Installerauto startdemand startTrustedInstallerX**8j2à‡dsÍ S—ÞÅ& !|@€€à‡dsÍü¤ j2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`k2ÚƒSFÍ S—ÞÅ& ±!|@€€ÚƒSFÍüÜk2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(l2aï š Í S—ÞÅ& y!|@€€aï š Íüðl2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(** m2EÈŸ Í S—ÞÅ& w!|@€€EÈŸ Íüèm2 ÞáÜ4d.Application InformationrunningAppinfo/4 **(n2å´y  Í S—ÞÅ& }!|@€€å´y  Íüðn2 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**Ðo2î2å Í ßñæâ–ãßñæâpl›”ÀÿJ4(5òÛAÏMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿGøAÿÿ:1=Virtual Disk ServiceAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! 5!B€î2å Ío2 FÓì|2@2010005Ð**p2×Oå Í S—ÞÅ& Y!|@€€×Oå Íüðp2 ÞáÜ4d Virtual Diskrunning vds/4**q2)í Í S—ÞÅ& o!|@€€)í Íüðq2 ÞáÜ4d"Disk Defragmenterrunningdefragsvc/4**(r2$¬nM Í S—ÞÅ& y!|@€€$¬nM Íüðr2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**s2MÉüÏ Í S—ÞÅ& o!|@€€MÉüÏ Íüðs2 ÞáÜ4d"Disk Defragmenterstoppeddefragsvc/1**t2kL Í S—ÞÅ& o!|@€€kL Íüt2 ÞáÜ4d"Disk Defragmenterrunningdefragsvc/4**(u2­Lp Í S—ÞÅ& }!|@€€­Lp Íü¨u2 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**(v2f´PgÍ S—ÞÅ& y!|@€€f´PgÍü¤ v2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**w2‚‹³Í =üÔü.î=üÔüz»ÉN9þp½ àÏÁAµMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ-øAÿÿ =volsnapAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! •!$À€‚‹³Í0w2 FÓì|2J(\Device\HarddiskVolumeShadowCopy2C:(0$À**(x2ÂèÛÍ S—ÞÅ& y!|@€€ÂèÛÍüx2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**y2‰[Í S—ÞÅ& e!|@€€‰[Íüy2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@z2ÓaÙÍ S—ÞÅ& “!|@€€ÓaÙÍüèz2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**8{2¿¿2Í S—ÞÅ& !|@€€¿¿2Íüø{2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**|2¹ªK Í S—ÞÅ& e!|@€€¹ªK Íüè|2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@}2³Ì˜ Í S—ÞÅ& “!|@€€³Ì˜ Íü$ }2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**X~2ÃN# Í S—ÞÅ&  ¡!€@€€ÃN# Íü,~2 cÒ3•*2 Windows Modules Installerdemand startauto startTrustedInstallerX**X2+* Í S—ÞÅ&  ¡!€@€€+* Íü,2 cÒ3•*2 Windows Modules Installerauto startdemand startTrustedInstallerX**8€2 a¡ Í S—ÞÅ& !|@€€ a¡ Íü,€2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`2…¯Ä¬#Í S—ÞÅ& ±!|@€€…¯Ä¬#ÍüP2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`‚2ƒàÄú%Í S—ÞÅ& ±!|@€€ƒàÄú%ÍüP ‚2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1` S—ÞÅ& |@€€iƒLOÍü|ƒ2 ÞáÜ4dPWinHTTP Web Proxy Auto-Discovery Servicerunning,ElfChnks#ƒ233€0þhÿÜQCì]t=ö‹ÌÁ³=¯÷®§” öзB°t?ø%®‚M+“DŸÎ–’©•õ ЮÞf«d**àƒ2iƒLOÍ S—ÞÅ&S—ÞÅB•”"ó[¥ˆå›AMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿßøoTSystemAÿÿ2ñ{ProviderF=K•NameService Control ManagerF†)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}í`ÖEventSourceNameService Control ManagerAMSõaEventID't†)Ú Qualifiers "§ Version ÐdÎLevelõE{Task ®Opcode$?jÏKeywordsAÿÿPj;Ž TimeCreated'“j<{ SystemTime .ÁF EventRecordID Aÿÿ…ö¢ò Correlation\F ñ ActivityIDFS5ÅRelatedActivityIDAÿÿm‚¸µ ExecutionHF§ × ProcessIDÌõ…9ThreadID ÿÿ.öƒaChannelSystemÿÿb+j;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB”í .Security·fLUserID ! „!|@€€iƒLOÍü|ƒ2 ÞáÜ4dÞáÜ4v¢ä“ú*…M^pâ»ÿÿ¯‹D‚ EventDataAÿÿ5³§ŠoData=param1 Aÿÿ#³=param2 ÿÿ  !¸Binary P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4à**`„27u5šQÍ S—ÞÅ& ±!|@€€7u5šQÍü¤„2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(…2îï7vuÍ S—ÞÅ& y!|@€€îï7vuÍü…2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**0†2ŽÐ yuÍ S—ÞÅ& …!|@€€ŽÐ yuÍü†2 ÞáÜ4d>Windows Error Reporting ServicerunningWerSvc/40**0‡2Ni¥ÀuÍ S—ÞÅ& …!|@€€Ni¥ÀuÍüH‡2 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**ˆ2~O¯vÍ S—ÞÅ& o!|@€€~O¯vÍüˆ2 ÞáÜ4d"Disk Defragmenterstoppeddefragsvc/1**(‰2îiÚ)vÍ S—ÞÅ& y!|@€€îiÚ)vÍü$‰2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(Š2àÿÉiyÍ S—ÞÅ& y!|@€€àÿÉiyÍüðŠ2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**`‹2éÔÐzÍ S—ÞÅ& ±!|@€€éÔÐzÍü ‹2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**(Œ2ºKzÍ S—ÞÅ& y!|@€€ÂºKzÍü Œ2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**È2€À[Á{Í rBøëÞrBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! ?!}€€€À[Á{Í2 FÓìDFÓì%g>¶9×{p(é4ÿÿ(‹ ³  P€49479860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÈ**`Ž2S¦÷h|Í S—ÞÅ& ±!|@€€S¦÷h|ÍüÜŽ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`2ñ'‚q¢Í S—ÞÅ& ±!|@€€ñ'‚q¢Íüx2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`2/W¿¤Í S—ÞÅ& ±!|@€€/W¿¤Íü¸2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`‘2s×Ið¬Í S—ÞÅ& ±!|@€€s×Ið¬Íü ‘2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8’2 `ßý¬Í S—ÞÅ& !|@€€ `ßý¬Íü(’2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**(“2_@Jj®Í S—ÞÅ&  s!€@€€_@Jj®Íü<“2 cÒ3õ cÒ3þœ ©™Î}²F±ôºÿÿ®‹Aÿÿ#³=param1 Aÿÿ#³=param2 Aÿÿ#³=param3 Aÿÿ#³=param4 2 Windows Modules Installerdemand startauto startTrustedInstaller(**X”2j$¶k®Í S—ÞÅ&  ¡!€@€€j$¶k®Íü<”2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8•2,Òk®Í S—ÞÅ& !|@€€,Òk®Íü<•2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`–2l–c>¯Í S—ÞÅ& ±!|@€€l–c>¯Íü´–2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`—2CçK)ÂÍ S—ÞÅ& ±!|@€€CçK)ÂÍü°—2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`˜2¿7bwÄÍ S—ÞÅ& ±!|@€€¿7bwÄÍü( ˜2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(™2}Q}ÍÍ S—ÞÅ& y!|@€€}Q}ÍÍül™2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(š2«ÿ(—ÍÍ S—ÞÅ& }!|@€€«ÿ(—ÍÍü8š2 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**`›2³y´°ÍÍ S—ÞÅ& ±!|@€€³y´°ÍÍüЛ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**(œ2í7¸0ÎÍ S—ÞÅ& y!|@€€í7¸0ÎÍüœ2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(2•åËüÎÍ S—ÞÅ& }!|@€€•åËüÎÍüD2 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**(ž2‹4ÏÍ S—ÞÅ& y!|@€€‹4ÏÍüÜž2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(Ÿ2ÄÛ#ÐÍ S—ÞÅ& y!|@€€ÄÛ#ÐÍüxŸ2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**` 2¦žNvÑÍ S—ÞÅ& ±!|@€€¦žNvÑÍü` 2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(¡2,mÓÍ S—ÞÅ& y!|@€€,mÓÍü\¡2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(¢2cL‹ ÔÍ S—ÞÅ& y!|@€€cL‹ ÔÍüP¢2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(£2zÏ:ÔÍ S—ÞÅ& y!|@€€zÏ:ÔÍü@£2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(¤23N¿óÔÍ S—ÞÅ& y!|@€€3N¿óÔÍüŒ¤2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(¥2¬=ú¾ÖÍ S—ÞÅ& y!|@€€¬=ú¾ÖÍü¥2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(¦2ª5©r×Í S—ÞÅ& y!|@€€ª5©r×Íü¦2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**§2‰ÏaBàÍ S—ÞÅ& e!|@€€‰ÏaBàÍü<§2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@¨2{vCàÍ S—ÞÅ& “!|@€€{vCàÍüШ2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**©2ƒëó®àÍ S—ÞÅ& e!|@€€ƒëó®àÍüЩ2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@ª2¯¨>áÍ S—ÞÅ& “!|@€€¯¨>áÍü0ª2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`«2¿@]ûÍ S—ÞÅ& ±!|@€€¿@]ûÍüô«2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`¬2:WS«ýÍ S—ÞÅ& ±!|@€€:WS«ýÍüì¬2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`­2,G#Í S—ÞÅ& ±!|@€€,G#Íü ­2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`®2ã!•%Í S—ÞÅ& ±!|@€€ã!•%ÍüÄ®2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(¯2òˆç5Í S—ÞÅ& y!|@€€òˆç5Íü<¯2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(°2F©§ù5Í S—ÞÅ& }!|@€€F©§ù5Íü<°2 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**0±2»Ø6Í S—ÞÅ& …!|@€€»Ø6Íüб2 ÞáÜ4d>Windows Error Reporting ServicerunningWerSvc/40**`²2ª, 6Í S—ÞÅ& ±!|@€€ª, 6Íü0²2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**0³2—ÄÎR6Í S—ÞÅ& …!|@€€—ÄÎR6Íü³2 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**(´2¨•yš6Í S—ÞÅ& y!|@€€¨•yš6Íüh´2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(µ2Xºq7Í S—ÞÅ& }!|@€€Xºq7Íü8µ2 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`¶2Bõ0d8Í S—ÞÅ& ±!|@€€Bõ0d8Íü°¶2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(·2l±°z;Í S—ÞÅ& y!|@€€l±°z;ÍüØ·2 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(¸2öô>.<Í S—ÞÅ& y!|@€€öô>.<Íü¤¸2 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(** ¹2€€ÅëDÍ rBøëÞ ó!}€€€€ÅëD͹2 FÓìDP€58119860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`º2Ã)Ù,HÍ S—ÞÅ& ±!|@€€Ã)Ù,HÍüĺ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8»2n°‡6HÍ S—ÞÅ& !|@€€n°‡6HÍü »2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X¼2Fô˜¡IÍ S—ÞÅ&  ¡!€@€€Fô˜¡IÍü@¼2 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**X½2ÝUî¢IÍ S—ÞÅ&  ¡!€@€€ÝUî¢IÍü@½2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8¾2­¶£IÍ S—ÞÅ& !|@€€­¶£IÍü@¾2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`¿20ñzJÍ S—ÞÅ& ±!|@€€0ñzJÍü¿2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`À2^déQ‹Í S—ÞÅ& ±!|@€€^déQ‹Íü4À2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Á2ãd Í S—ÞÅ& ±!|@€€ãd ÍüäÁ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**Â2 ul©Í S—ÞÅ& e!|@€€ ul©ÍütÂ2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@Ã2k”2m©Í S—ÞÅ& “!|@€€k”2m©Íü0Ã2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**Ä2 Ù©Í S—ÞÅ& e!|@€€ Ù©Íü0Ä2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@Å2»åVDªÍ S—ÞÅ& “!|@€€»åVDªÍü  Å2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`Æ2T‘¯Í S—ÞÅ&  ¥!€@€€T‘¯ÍüHÆ2 cÒ3õ NBackground Intelligent Transfer Servicedemand startauto startBITS`**(Ç2É9­¯Í S—ÞÅ& }!|@€€É9­¯ÍülÇ2 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**(È2¨ûjѱÍ S—ÞÅ& }!|@€€¨ûjѱÍüäÈ2 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`É2¹-‚¦¸Í S—ÞÅ&  ¥!€@€€¹-‚¦¸Íü0É2 cÒ3õ NBackground Intelligent Transfer Serviceauto startdemand startBITS`**`Ê2pô3NâÍ S—ÞÅ& ±!|@€€pô3NâÍüÜÊ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8Ë2Fí]âÍ S—ÞÅ& !|@€€Fí]âÍüÜË2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**XÌ2xÿ¬ËãÍ S—ÞÅ&  ¡!€@€€xÿ¬ËãÍü<Ì2 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**XÍ2ÜãÝÎãÍ S—ÞÅ&  ¡!€@€€ÜãÝÎãÍü<Í2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8Î2̸3ÏãÍ S—ÞÅ& !|@€€Ì¸3ÏãÍü<Î2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`Ï2ìNœäÍ S—ÞÅ& ±!|@€€ìNœäÍüÈÏ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** Ð2€@/ Í rBøëÞ ó!}€€€@/ ÍÐ2 FÓìDP€66759860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`Ñ2gdŒT Í S—ÞÅ& ±!|@€€gdŒT ÍüèÑ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ò2 ¦ÝV Í S—ÞÅ& ±!|@€€ ¦ÝV ÍüLÒ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**Ó2†¤ù–r Í S—ÞÅ& e!|@€€†¤ù–r ÍüðÓ2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@Ô2t‹—r Í S—ÞÅ& “!|@€€t‹—r ÍüìÔ2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**Õ22Ôas Í S—ÞÅ& e!|@€€2Ôas ÍüìÕ2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@Ö2x–®ns Í S—ÞÅ& “!|@€€x–®ns ÍüôÖ2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`×2E2N¾† Í S—ÞÅ& ±!|@€€E2N¾† Íüœ×2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8Ø2®sʆ Í S—ÞÅ& !|@€€®sʆ ÍüœØ2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**XÙ2VÑ‚5ˆ Í S—ÞÅ&  ¡!€@€€VÑ‚5ˆ ÍüÌ Ù2 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**XÚ2²?¥6ˆ Í S—ÞÅ&  ¡!€@€€²?¥6ˆ ÍüÌ Ú2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8Û2’eË6ˆ Í S—ÞÅ& !|@€€’eË6ˆ ÍüÌ Û2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`Ü2ͱl ‰ Í S—ÞÅ& ±!|@€€Í±l ‰ Íü(Ü2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** Ý2€™@× Í rBøëÞ ó!}€€€™@× ÍÝ2 FÓìDP€75399860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`Þ2ÚY· Í S—ÞÅ& ±!|@€€ÚY· Íüh Þ2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ß2µo Í S—ÞÅ& ±!|@€€µo Íü¤ß2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`à2„4zÍ8 Í S—ÞÅ& ±!|@€€„4zÍ8 Íüh à2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8á2ã0Ò8 Í S—ÞÅ& !|@€€ã0Ò8 ÍüTá2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**Xâ29mB:: Í S—ÞÅ&  ¡!€@€€9mB:: Íüdâ2 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xã21°:: Í S—ÞÅ&  ¡!€@€€1°:: Íüdã2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8ä2óÇ:: Í S—ÞÅ& !|@€€óÇ:: Íüdä2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`å26ˆš; Í S—ÞÅ& ±!|@€€6ˆš; Íü å2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**æ2ŠE/Á; Í S—ÞÅ& e!|@€€ŠE/Á; Íü¼æ2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@ç2†-˜Á; Í S—ÞÅ& “!|@€€†-˜Á; Íüç2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**è2ÚFb-< Í S—ÞÅ& e!|@€€ÚFb-< Íüè2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@é2Ъ˜< Í S—ÞÅ& “!|@€€Ðª˜< Íüé2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**Pê2´o-9| Í ¼"_Ý–’¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  <  !2€´o-9| ÍÌ°ê2Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem Љ¦ ©•Ð‰¦ J…£Þ£§Ÿ™?åAÿÿÙ‹==TMP_EVENT_LOCALCLOCK_UNSETAÿÿK³==TimeDifferenceMilliseconds Aÿÿ9³+=TimeSampleSeconds ˆ„P** ë2ä¦F  Í rBøëÞ ó!}€€ä¦F  Íë2 FÓìDP€84033860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local ** ì2*jj  Í rBøëÞ ó!}€€*jj  Íì2 FÓìDP€84039860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`í2H=‚× Í S—ÞÅ& ±!|@€€H=‚× Íülí2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8î2Å‘…‹× Í S—ÞÅ& !|@€€Å‘…‹× ÍüPî2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**Xï2tJ"ùØ Í S—ÞÅ&  ¡!€@€€tJ"ùØ Íü`ï2 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xð2ææäúØ Í S—ÞÅ&  ¡!€@€€ææäúØ Íü`ð2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8ñ2† ûØ Í S—ÞÅ& !|@€€† ûØ Íü`ñ2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`ò2,_UÐÙ Í S—ÞÅ& ±!|@€€,_UÐÙ Íü\ò2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`ó27èÄæ Í S—ÞÅ& ±!|@€€7èÄæ Íü¸ó2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`ô21Îÿé Í S—ÞÅ& ±!|@€€1Îÿé Íü0ô2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**õ2¥,Wë Í S—ÞÅ& e!|@€€¥,Wë Íü(õ2 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@ö2œèë Í S—ÞÅ& “!|@€€œèë Íüäö2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**÷2£¯W Í S—ÞÅ& e!|@€€£¯W Íüä÷2 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@ø2]ÒøÂ Í S—ÞÅ& “!|@€€]Òø Íüøø2 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**ðù2ŠxM Í  î*óf«& î*ó׬š´øF›ØäÁÐÉAÿÿ½Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿøAÿÿ›’F=Microsoft-Windows-Eventlog†&{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFFAÿÿ‚F§Ì ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · $%®F5DUserData! i!ii€ŠxM Í ù2 (ÊÊDЮ(ÊÊDŒÆg³Wâµ{€Aÿÿt÷®‘€ AutoBackup F¯Nwxmlns:auto-ns3/http://schemas.microsoft.com/win/2004/08/eventsj;http://manifests.microsoft.com/win/2004/08/windows/eventlogÿÿ ö ÿÿ(B°'º BackupPath  ApplicationC:\Windows\System32\Winevt\Logs\Archive-Application-2012-03-26-05-50-01-755.evtxð** ú2€€l•i Í rBøëÞ ó!}€€€€l•i Íú2 FÓìDP€92679860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`û2}éÛ‡ Í S—ÞÅ& ±!|@€€}éÛ‡ Íüû2 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8ü2t.*é‡ Í S—ÞÅ& !|@€€t.*é‡ Íüü2 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**Xý2.÷—V‰ Í S—ÞÅ&  ¡!€@€€.÷—V‰ Íü`ý2 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xþ2è`¥W‰ Í S—ÞÅ&  ¡!€@€€è`¥W‰ Íü`þ2 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8ÿ2ÔÁÆW‰ Í S—ÞÅ& !|@€€ÔÁÆW‰ Íü`ÿ2 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`3ÄÚ1)Š Í S—ÞÅ& ±!|@€€ÄÚ1)Š Íü3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`3Ùí¯ Í S—ÞÅ& ±!|@€€Ùí¯ Íü¬3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`3Ñ .;² Í S—ÞÅ& ±!|@€€Ñ .;² Íü€ 3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**3©W¨Î Í S—ÞÅ& e!|@€€©W¨Î Íü˜3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@3u)<Î Í S—ÞÅ& “!|@€€u)<Î Íüä3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**3Ü[úÎ Í S—ÞÅ& e!|@€€Ü[úÎ Íüˆ3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@3ž.DíÎ Í S—ÞÅ& “!|@€€ž.DíÎ Íüˆ3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`3’ (Ê* Í S—ÞÅ& ±!|@€€’ (Ê* ÍüÀ 3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**83Kòæ×* Í S—ÞÅ& !|@€€Kòæ×* Íüœ 3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X 3ŸœE, Í S—ÞÅ&  ¡!€@€€ŸœE, Íül 3 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**X 3ϧºF, Í S—ÞÅ&  ¡!€@€€Ï§ºF, Íül 3 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8 3kÞF, Í S—ÞÅ& !|@€€kÞF, Íül 3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**` 3K0>- Í S—ÞÅ& ±!|@€€K0>- Íüx 3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**  3€@Ö¿2 Í rBøëÞ õ!}€€€@Ö¿2 Í 3 FÓìDR€101319860300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **¸39V Í ¼"_Ý–’  @ ­!€9V Í8`3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <ÕŸÎz <ÕÐ!ö{ôA²»Äjÿÿ^‹Aÿÿ%³=NewTime Aÿÿ%³=OldTime 9V Íç.ÉU ͸**83£’˜V Í ¼"_Ý–’  @ +!€£’˜V Í8`3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <՟Σ’˜V Í‘Gf&V Í8**83P¥[W Í ¼"_Ý–’  @ +!€P¥[W Í8`3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <ÕŸÎP¥[W Ͳ]p™V Í8**`3V3¦zW Í S—ÞÅ& ±!|@€€V3¦zW Íü3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`3̬ÀÈY Í S—ÞÅ& ±!|@€€Ì¬ÀÈY Íü¬3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**83¹x¹‹b Í ¼"_Ý–’  @ +!€¹x¹‹b Í8`3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <՟κ¸‹b ÍdÊî b Í8**83–Žc Í ¼"_Ý–’  @ +!€–Žc Í8`3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <՟ΖŽc ÍŒ­b Í8**`3b û¬c Í S—ÞÅ& ±!|@€€b û¬c Íü, 3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`3 yûe Í S—ÞÅ& ±!|@€€ yûe Íüì3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`3úA#x Í S—ÞÅ& ±!|@€€úA#x Íü3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`3cYYqz Í S—ÞÅ& ±!|@€€cYYqz Íü<3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`3tÌ| Í S—ÞÅ& ±!|@€€tÌ| Íüp3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`3>?äb~ Í S—ÞÅ& ±!|@€€>?äb~ Íü3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**83SêèÞ“ Í ¼"_Ý–’  @ +!€SêèÞ“ ÍÌ 3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <ÕŸÎSêèÞ“ ÍÀo9P“ Í8**83 IëÞ“ Í ¼"_Ý–’  @ +!€ IëÞ“ ÍÌ 3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <՟ΠIëÞ“ Í­LëÞ“ Í8**3Ý3É?— Í S—ÞÅ& e!|@€€Ý3É?— Íüè 3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@3A|S@— Í S—ÞÅ& “!|@€€A|S@— Íü(3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**3-¬— Í S—ÞÅ& e!|@€€-¬— ÍüÀ3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@ 3b½d˜ Í S—ÞÅ& “!|@€€b½d˜ ÍüÀ 3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**!31AŸÍ¬ Í S—ÞÅ& o!|@€€1AŸÍ¬ Íü´!3 ÞáÜ4d"Disk Defragmenterrunningdefragsvc/4**"3'Þ°<­ Í S—ÞÅ& o!|@€€'Þ°<­ Íü´"3 ÞáÜ4d"Disk Defragmenterstoppeddefragsvc/1**`#3~Å´ØÀ Í S—ÞÅ& ±!|@€€~Å´ØÀ Íü4#3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8$35µÝÀ Í S—ÞÅ& !|@€€5µÝÀ ÍüÈ$3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X%3£bVI Í S—ÞÅ&  ¡!€@€€£bVI ÍüD%3 cÒ3õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**X&3:@EJ Í S—ÞÅ&  ¡!€@€€:@EJ ÍüD&3 cÒ3õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8'3 SXJ Í S—ÞÅ& !|@€€ SXJ ÍüD'3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`(3ý Ë&à Í S—ÞÅ& ±!|@€€ý Ë&à Íü¸ (3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** )3€0-×û Í rBøëÞ õ!}€€€0-×û Í)3 FÓìDR€109802360300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`*3©slÕE Í S—ÞÅ& ±!|@€€©slÕE ÍüÐ*3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`+3OÁ‚#H Í S—ÞÅ& ±!|@€€OÁ‚#H Íü+3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**,3›ªzj` Í S—ÞÅ& e!|@€€›ªzj` ÍüD,3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@-3a7k` Í S—ÞÅ& “!|@€€a7k` ÍüP-3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**8.3(}¼` Í S—ÞÅ& !|@€€(}¼` Íüp.3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**/3„ ë` Í S—ÞÅ& e!|@€€„ ë` ÍüP/3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@03_ÁSVa Í S—ÞÅ& “!|@€€_ÁSVa Íü03 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**X13ë*/¶9×{p(é4ÿÿ(‹ ³  R€118442360300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÈ**`;3j_5þÍ S—ÞÅ& ±!|@€€j_5þÍüÐ;3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`<3¤§NLÍ S—ÞÅ& ±!|@€€¤§NLÍüÀ<3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`=3ò®uGÍ S—ÞÅ&  ¥!€@€€ò®uGÍüÐ=3 cÒ3Õ NBackground Intelligent Transfer Servicedemand startauto startBITS`**(>3=¿ŠcÍ S—ÞÅ& }!|@€€=¿ŠcÍü4>3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**(?3göüÍ S—ÞÅ& }!|@€€göüÍü?3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`@3,d„ÃÍ S—ÞÅ&  ¥!€@€€,d„ÃÍüp@3 cÒ3Õ NBackground Intelligent Transfer Serviceauto startdemand startBITS`**`A3@}ŒÞ Í S—ÞÅ& ±!|@€€@}ŒÞ ÍüTA3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8B3Eãïâ Í S—ÞÅ& !|@€€Eãïâ ÍüTB3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**XC31¡J"Í S—ÞÅ&  ¡!€@€€1¡J"ÍühC3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**XD3ìõùJ"Í S—ÞÅ&  ¡!€@€€ìõùJ"ÍühD3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8E3b¦ K"Í S—ÞÅ& !|@€€b¦ K"ÍühE3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`F3.E¤,#Í S—ÞÅ& ±!|@€€.E¤,#ÍüøF3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**G3°R«”)Í S—ÞÅ& e!|@€€°R«”)ÍüôG3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@H3ð÷”)Í S—ÞÅ& “!|@€€ð÷”)Íü H3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**I3¦.Â*Í S—ÞÅ& e!|@€€¦.Â*ÍütI3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@J3Ê l*Í S—ÞÅ& “!|@€€Ê l*ÍütJ3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`K3(Yÿó.Í S—ÞÅ& ±!|@€€(Yÿó.ÍüXK3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`L3Æ+B1Í S—ÞÅ& ±!|@€€Æ+B1ÍüL3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** M3€°,ŽÍ rBøëV õ!}€€€°,ŽÍM3 FÓì¼R€127082360300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`N3"6¹½Í S—ÞÅ& ±!|@€€"6¹½Íü¨N3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8O3¥Œ¾½Í S—ÞÅ& !|@€€¥Œ¾½ÍüœO3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**XP3‹B1*¿Í S—ÞÅ&  ¡!€@€€‹B1*¿Íü°P3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**XQ3)^0+¿Í S—ÞÅ&  ¡!€@€€)^0+¿Íü°Q3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8R3˜J+¿Í S—ÞÅ& !|@€€˜J+¿Íü°R3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`S3ÝÎLÀÍ S—ÞÅ& ±!|@€€ÝÎLÀÍüŒS3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`T3N[‚*ØÍ S—ÞÅ& ±!|@€€N[‚*ØÍüèT3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`U3‹™xÚÍ S—ÞÅ& ±!|@€€‹™xÚÍü(U3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**V3`›:¿òÍ S—ÞÅ& e!|@€€`›:¿òÍüPV3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@W3,mοòÍ S—ÞÅ& “!|@€€,mοòÍüàW3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**X3|ôø+óÍ S—ÞÅ& e!|@€€|ôø+óÍüLX3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@Y3«C—óÍ S—ÞÅ& “!|@€€«C—óÍüLY3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@** Z3€pjVWÍ rBøëV õ!}€€€pjVWÍZ3 FÓì¼R€135722360300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`[3º‚o¹gÍ S—ÞÅ& ±!|@€€º‚o¹gÍüD [3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8\3m5¾gÍ S—ÞÅ& !|@€€m5¾gÍü€\3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X]3@Ê¿&iÍ S—ÞÅ&  ¡!€@€€@Ê¿&iÍü”]3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**X^3ä]–'iÍ S—ÞÅ&  ¡!€@€€ä]–'iÍü”^3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8_3о·'iÍ S—ÞÅ& !|@€€Ð¾·'iÍü”_3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**``3OÛ†jÍ S—ÞÅ& ±!|@€€OÛ†jÍü,`3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`a3º§pU¡Í S—ÞÅ& ±!|@€€º§pU¡Íü¼a3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`b3´‡££Í S—ÞÅ& ±!|@€€´‡££Íüðb3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**c3Ã}é»Í S—ÞÅ& e!|@€€Ã}é»ÍüPc3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@d3ýPê»Í S—ÞÅ& “!|@€€ýPê»Íü€d3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**e3ý‚æU¼Í S—ÞÅ& e!|@€€ý‚æU¼Íüœe3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@f3]ò-Á¼Í S—ÞÅ& “!|@€€]ò-Á¼Íü f3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**(g3t}:› Í S—ÞÅ& y!|@€€t}:› Íülg3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**Ðh3¬¦Â Í ßñæâRßñæâpl›”ÀÿJ4(5òÛAÏMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿGøAÿÿ:1=Virtual Disk ServiceAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! 5!B€¬¦Â Íh3 FÓì¼@2010001Ð**i3ê>ù Í S—ÞÅ& Y!|@€€ê>ù Íüi3 ÞáÜ4d Virtual Diskstopped vds/1**(j3®µQÆ Í S—ÞÅ& }!|@€€®µQÆ Íü¬j3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**`k3ÇFñÇ Í S—ÞÅ& ±!|@€€ÇFñÇ Íük3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**(l3.  Í S—ÞÅ& y!|@€€.  Íül3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(m3 Aj Í S—ÞÅ& }!|@€€ Aj ÍüPm3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**(n3§õº Í S—ÞÅ& }!|@€€§õº ÍüHn3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**(o3yÕ»Í S—ÞÅ& }!|@€€yÕ»Íüìo3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`p3ïi«:Í S—ÞÅ& ±!|@€€ïi«:ÍüH p3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(q3ÁsÑÍÍ S—ÞÅ& y!|@€€ÁsÑÍÍüPq3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(r3lÆLÍ S—ÞÅ& y!|@€€lÆLÍüˆr3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**`s3a»œÍ S—ÞÅ& ±!|@€€a»œÍüs3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8t3k ¢¦Í S—ÞÅ& !|@€€k ¢¦Íüôt3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**Xu3ó‘žÍ S—ÞÅ&  ¡!€@€€ó‘žÍü¨u3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xv3g8ˆÍ S—ÞÅ&  ¡!€@€€g8ˆÍü¨v3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8w37K›Í S—ÞÅ& !|@€€7K›Íü¨w3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`x3a¾¦êÍ S—ÞÅ& ±!|@€€a¾¦êÍüH x3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** y3€0Ô€ Í rBøëV õ!}€€€0Ô€ Íy3 FÓì¼R€144362360300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`z3{=ejÍ S—ÞÅ& ±!|@€€{=ejÍüdz3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`{3{@{ÏlÍ S—ÞÅ& ±!|@€€{@{ÏlÍü´{3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**|3‹ÎÕ…Í S—ÞÅ& e!|@€€‹ÎÕ…Íü|3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@}3.…Í S—ÞÅ& “!|@€€.…ÍüŒ}3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**~3ãøú…Í S—ÞÅ& e!|@€€ãøú…ÍüŒ~3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@3ãÊDë…Í S—ÞÅ& “!|@€€ãÊDë…ÍüD3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`€3у­Š³Í S—ÞÅ& ±!|@€€Ñƒ­Š³Íü˜€3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**83=¶¿“³Í S—ÞÅ& !|@€€=¶¿“³Íü03 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X‚3%FÇþ´Í S—ÞÅ&  ¡!€@€€%FÇþ´Íü`‚3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xƒ3µ:¿ÿ´Í S—ÞÅ&  ¡!€@€€µ:¿ÿ´Íü`ƒ3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8„3+ëÏÿ´Í S—ÞÅ& !|@€€+ëÏÿ´Íü`„3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`…3цÃصÍ S—ÞÅ& ±!|@€€Ñ†ÃصÍüP…3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**è†3<NCåÍ ¼"_݆z¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  @ ­!€<NCåÍ8`†3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ}Rz <ÕÐ!ö{ôA²»Äjÿÿ^‹Aÿÿ%³=NewTime Aÿÿ%³=OldTime Ð~DCåÍL:"åÍè**8‡3j&ÁÍ ¼"_݆z  @ +!€j&ÁÍ8`‡3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ}Ðé&ÀÍå»Ö‘éÍ8**(ˆ3\à§ÕÍ S—ÞÅ& !|@€€\à§ÕÍü¨ˆ3 ÞáÜ4d"(FResponse Servicestopped(FResponse Service/1(** ‰3€ÖÍ rBøëV õ!}€€€Ö͉3 FÓì¼R€152996360300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`Š3JÍ S—ÞÅ& ±!|@€€JÍüÀŠ3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`‹3j«ZfÍ S—ÞÅ& ±!|@€€j«ZfÍü@‹3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**8Œ3(ém[:Í ¼"_݆z  @ +!€(ém[:Í8`Œ3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ}P0ÎZ:Íc8EM:Í8**`3œ•±ª:Í S—ÞÅ& ±!|@€€œ•±ª:Íüì3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ž3ŽŒµø<Í S—ÞÅ& ±!|@€€ŽŒµø<Íü Ž3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(3ˆnÓvBÍ ¼"_݆z  <  !2€ˆnÓvBÍÌŒ3Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem Љ¦ ‹Ð‰¦ J…£Þ£§Ÿ™?åAÿÿÙ‹==TMP_EVENT_LOCALCLOCK_UNSETAÿÿK³==TimeDifferenceMilliseconds Aÿÿ9³+=TimeSampleSeconds ˆ„(**3#ãt>NÍ S—ÞÅ& e!|@€€#ãt>NÍü3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@‘3=c?NÍ S—ÞÅ& “!|@€€=c?NÍüì‘3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**’3xLÿªNÍ S—ÞÅ& e!|@€€xLÿªNÍüì’3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@“3ÖGOÍ S—ÞÅ& “!|@€€ÖGOÍüP“3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`”32tJÖTÍ S—ÞÅ& ±!|@€€2tJÖTÍüì”3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8•3[[ËUÍ S—ÞÅ& !|@€€[[ËUÍü´•3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X–3W’U3WÍ S—ÞÅ&  ¡!€@€€W’U3WÍüX–3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**X—3‰O4WÍ S—ÞÅ&  ¡!€@€€‰O4WÍüX—3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8˜3õŒt4WÍ S—ÞÅ& !|@€€õŒt4WÍüX˜3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`™3ãøúWÍ S—ÞÅ& ±!|@€€ãøúWÍüø™3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`š3bs#±dÍ S—ÞÅ& ±!|@€€bs#±dÍüTš3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`›3rL<ÿfÍ S—ÞÅ& ±!|@€€rL<ÿfÍüø›3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**`œ3NŸR €Í S—ÞÅ& ±!|@€€NŸR €Íü œ3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`3/hZ‚Í S—ÞÅ& ±!|@€€/hZ‚Íü43 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**8ž3Ð4—žÍ ¼"_݆z  @ +!€Ð4—žÍ8`ž3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ} ,–žÍ´CÄnžÍ8** Ÿ3€èCò²Í rBøëV õ!}€€€èCò²ÍŸ3 FÓì¼R€159520460300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **¸ 3v"*%ØÍ ¼"_݆z  4 ·!MY v"*%ØÍœ 3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£ÝLCh´y…ÓÒmÖ»Í dÿÿX‹Aÿÿ³=TSId Aÿÿ%³=UserSid —*gy TJ¶‡(~Z¸**@¡3ü& +ØÍ ¼"_݆z : !߀ü& +ØÍ#?Û¦¨eB¶]~›ÚeX|¡3—*gy TJ¶‡(~ZMicrosoft-Windows-GroupPolicyú´¡®Ñ—òE¦LMiÿý’ÉSystem MÚ#á¤MÚ#á÷®€ô 0à[÷ÚŠÿÿ~‹Aÿÿ/³!= SupportInfo1 Aÿÿ/³!= SupportInfo2 Aÿÿ3³%=ProcessingMode AÿÿO³A=ProcessingTimeInMilliseconds Aÿÿ#³=DCName AÿÿK³==NumberOfGroupPolicyObjects :[ V \\Controller.shieldbase.local@**@¢3¿ÕW+ØÍ S—ÞÅ& “!|@€€¿ÕW+ØÍüx¢3 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**(£3N«x.ØÍ S—ÞÅ& y!|@€€N«x.ØÍüœ£3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(¤3\ g6ØÍ S—ÞÅ& }!|@€€\ g6ØÍüx¤3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**8¥3¶ÒrQØÍ ¼"_݆z  4 ;!NZ ¶ÒrQØÍœ¥3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£—*gy TJ¶‡(~Z8**@¦3˜GM™ØÍ S—ÞÅ& “!|@€€˜GM™ØÍü”¦3 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**(§3ÁÙÍ S—ÞÅ& y!|@€€ÁÙÍü”§3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(¨3¶Ê ÙÍ S—ÞÅ& }!|@€€¶Ê ÙÍü¨3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`©3ÊX*ÿÍ S—ÞÅ& ±!|@€€ÊX*ÿÍü€©3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8ª3 eZ1ÿÍ S—ÞÅ& !|@€€ eZ1ÿÍüª3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**X«3ÚNšÍ S—ÞÅ&  ¡!€@€€ÚNšÍüü «3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**X¬3&›šÍ S—ÞÅ&  ¡!€@€€&›šÍüü ¬3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8­3Ht©šÍ S—ÞÅ& !|@€€Ht©šÍüü ­3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`®3í rxÍ S—ÞÅ& ±!|@€€í rxÍü®3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**8¯3õA Í ¼"_݆z  @ +!€õA Í8`¯3Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ}°’? ÍÖ\Í8**°3’ iÍ S—ÞÅ& e!|@€€’ iÍü`°3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@±3%èiÍ S—ÞÅ& “!|@€€%èiÍü±3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**8²3­Öö…Í ¼"_݆z  4 ;!MY ­Öö…ͼð²3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£—*gy TJ¶‡(~Z8**(³3´ŠôŒÍ S—ÞÅ& y!|@€€´ŠôŒÍüH³3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**@´3vjøŒÍ S—ÞÅ& “!|@€€vjøŒÍüH´3 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**(µ3¦”žÍ S—ÞÅ& }!|@€€¦”žÍüµ3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**¶3ZžÍ S—ÞÅ& m!|@€€ZžÍü¶3 ÞáÜ4d&Software Protectionrunningsppsvc/4**@·3É7ÔÍ S—ÞÅ& “!|@€€É7ÔÍüH·3 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**¸3 RÉÕÍ S—ÞÅ& e!|@€€ RÉÕÍüH¸3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@¹3 bAÍ S—ÞÅ& “!|@€€ bAÍü` ¹3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**(º3ÏΦMÍ S—ÞÅ& y!|@€€ÏΦMÍü`º3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**»3’2SÍ S—ÞÅ& m!|@€€’2SÍü`»3 ÞáÜ4d&Software Protectionstoppedsppsvc/1**(¼34‘¥Í S—ÞÅ& }!|@€€4‘¥ÍüÐ ¼3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**½3ÀqÏRÍ S—ÞÅ& m!|@€€ÀqÏRÍüܽ3 ÞáÜ4d&Software Protectionrunningsppsvc/4**¾3†š6Í S—ÞÅ& m!|@€€†š6Íüd¾3 ÞáÜ4d&Software Protectionstoppedsppsvc/1**¿3ÎÚß#Í S—ÞÅ& o!|@€€ÎÚß#Íü€¿3 ÞáÜ4d"Disk Defragmenterrunningdefragsvc/4**À3öpóŒ#Í S—ÞÅ& o!|@€€öpóŒ#Íü€À3 ÞáÜ4d"Disk Defragmenterstoppeddefragsvc/1**Á3­:K1$Í S—ÞÅ& m!|@€€­:K1$Íü¸Á3 ÞáÜ4d&Software Protectionrunningsppsvc/4**(Â3²®1$Í S—ÞÅ& y!|@€€²®1$Íü€Â3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**8Ã3ÛRT$Í ¼"_݆z  4 ;!NZ ÛRT$ͼðÃ3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£—*gy TJ¶‡(~Z8**Ä3Y÷Éä$Í S—ÞÅ& m!|@€€Y÷Éä$ÍüŒÄ3 ÞáÜ4d&Software Protectionstoppedsppsvc/1**(Å3…Ù]%Í S—ÞÅ& y!|@€€…Ù]%ÍüàÅ3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**8Æ3;³9r%Í ¼"_݆z  4 ;!MY ;³9r%ÍÀØÆ3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£}¡— ƒ±y_Üb¥é8**`Ç3™ƒìr%Í ¼"_݆z : ?!߀™ƒìr%Í/„”"Q%"HœSgX€Ç3}¡— ƒ±y_Üb¥éMicrosoft-Windows-GroupPolicyú´¡®Ñ—òE¦LMiÿý’ÉSystem MÚ#á¤[ î`**@È3K>Ês%Í S—ÞÅ& “!|@€€K>Ês%ÍüHÈ3 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**@É3»®Q»%Í S—ÞÅ& “!|@€€»®Q»%ÍüPÉ3 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**8Ê3ã‘S'Í ¼"_݆z  4 ;!NZ ã‘S'ÍÀØÊ3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£}¡— ƒ±y_Üb¥é8**`Ë3š²ùO.Í S—ÞÅ& ±!|@€€š²ùO.Íü`Ë3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`Ì3öäž0Í S—ÞÅ& ±!|@€€öäž0ÍüØÌ3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**8Í3÷SIã^Í ¼"_݆z  4 ;!MY ÷SIã^ÍÐè Í3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh£}¡— ƒ±y_Üb¥é8**@Î3Á¶ä^Í S—ÞÅ& “!|@€€Á¶ä^Íü0Î3 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**(Ï3säå^Í S—ÞÅ& y!|@€€säå^ÍühÏ3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**(Ð3ñü{å^Í S—ÞÅ& }!|@€€ñü{å^Íü8Ð3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**@Ñ3 =,_Í S—ÞÅ& “!|@€€ =,_Íü8Ñ3 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**(Ò3¹ïl˜_Í S—ÞÅ& y!|@€€¹ïl˜_ÍüDÒ3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(Ó3r K`Í S—ÞÅ& }!|@€€r K`ÍüÜÓ3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(** Ô3èŸ|Í rBøëV õ!}€€èŸ|ÍÔ3 FÓì¼R€168145260300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **(Õ3Èü©Í S—ÞÅ& }!|@€€Èü©ÍüPÕ3 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**Ö3)¢r«Í S—ÞÅ& e!|@€€)¢r«ÍüäÖ3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@×3[Æ·«Í S—ÞÅ& “!|@€€[Æ·«ÍüP×3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**Ø3!ÞʵÍ S—ÞÅ& m!|@€€!ÞʵÍüPØ3 ÞáÜ4d&Software Protectionrunningsppsvc/4**(Ù3QÈ6ÆÍ S—ÞÅ& y!|@€€QÈ6ÆÍü¸ Ù3 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**Ú3d_(CžÍ S—ÞÅ& e!|@€€d_(CžÍüäÚ3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**Û3™ÍrižÍ S—ÞÅ& m!|@€€™ÍrižÍüx!Û3 ÞáÜ4d&Software Protectionstoppedsppsvc/1**(Ü3|…©yžÍ S—ÞÅ& y!|@€€|…©yžÍüx!Ü3 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**@Ý3äús®žÍ S—ÞÅ& “!|@€€äús®žÍü4"Ý3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**(Þ3[NV=ŸÍ S—ÞÅ& }!|@€€[NV=ŸÍü¸#Þ3 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`ß3»¯‹¡Í S—ÞÅ& ±!|@€€»¯‹¡ÍüÐ ß3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8à3 ¢óÊ£Í S—ÞÅ& !|@€€ ¢óÊ£Íü<#à3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**Xá3”èp5¥Í S—ÞÅ&  ¡!€@€€”èp5¥Íü<á3 cÒ3Õ 2 Windows Modules Installerdemand startauto startTrustedInstallerX**Xâ3;$¿6¥Í S—ÞÅ&  ¡!€@€€;$¿6¥Íü<â3 cÒ3Õ 2 Windows Modules Installerauto startdemand startTrustedInstallerX**8ã3ÛIå6¥Í S—ÞÅ& !|@€€ÛIå6¥Íü<ã3 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`ä32<¤ñ¥Í S—ÞÅ& ±!|@€€2<¤ñ¥Íü°ä3 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**å3_xº’àÍ S—ÞÅ& e!|@€€_xº’àÍüÔ!å3 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@æ3{ÆÈ’àÍ S—ÞÅ& “!|@€€{ÆÈ’àÍü¼!æ3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**8ç3ÇÏÉÜàÍ S—ÞÅ& !|@€€ÇÏÉÜàÍü¼!ç3 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**è3-wþàÍ S—ÞÅ& e!|@€€-wþàÍü<#è3 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@é3ÒþÀiáÍ S—ÞÅ& “!|@€€ÒþÀiáÍü¤ é3 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@ S—ÞÅ&  €@€€uû™^âÍü|ê3 cÒ3Õ 2Windows Modules Installerdemand startElfChnkÚê3 4€PýÈþÿŽ S^}]ö—ÌÁ¿=Šœ[œ§—›”àöзt?ø)›‚M+“D×EV½!4œ[òu†Õ•k‰a’ƒìÔÀpg¶ö˜& **ê3uû™^âÍ S—ÞÅ&S—ÞÅB•”"ó[¥ˆå›AMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿßøoTSystemAÿÿ2ñ{ProviderF=K•NameService Control ManagerF†)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}í`ÖEventSourceNameService Control ManagerAMSõaEventID't†)Ú Qualifiers "§ Version ÐdÎLevelõE{Task ®Opcode$?jÏKeywordsAÿÿPj;Ž TimeCreated'“j<{ SystemTime .ÁF EventRecordID Aÿÿ…ö¢ò Correlation\F ñ ActivityIDFS5ÅRelatedActivityIDAÿÿm‚¸µ ExecutionHF§ × ProcessIDÌõ…9ThreadID ÿÿ.öƒaChannelSystemÿÿb+j;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB”í .Security·fLUserID !  ¡!€@€€uû™^âÍü|ê3 cÒ3pcÒ3þœ ©™Î}²F±ôèÿÿÜ—D‚ EventDataAÿÿ5¿§ŠoData=param1 Aÿÿ#¿=param2 Aÿÿ#¿=param3 Aÿÿ#¿=param4 2 Windows Modules Installerdemand startauto startTrustedInstaller**Xë3YÜ$_âÍ S—ÞÅ&  ¡!€@€€YÜ$_âÍü|ë3 cÒ3p2 Windows Modules Installerauto startdemand startTrustedInstallerX**àì3SdM_âÍ S—ÞÅ& 2!|@€€SdM_âÍü|ì3 ÞáÜ4 ÞáÜ4v¢ä“ú*…M^pâÿÿ—Aÿÿ#¿=param1 Aÿÿ#¿=param2 ÿÿ ˜ !¸Binary 2&Windows Modules Installerstopped&TrustedInstaller/1rà**`í3ƒlz…÷Í S—ÞÅ& ±!|@€€ƒlz…÷Íüx!í3 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`î3š?ÓùÍ S—ÞÅ& ±!|@€€š?ÓùÍü#î3 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(ï3£áy‘CÍ S—ÞÅ& y!|@€€£áy‘CÍüø!ï3 ÞáÜ4 4Multimedia Class SchedulerrunningMMCSS/4(**0ð3]|á˜CÍ S—ÞÅ& …!|@€€]|á˜CÍü` ð3 ÞáÜ4 >Windows Error Reporting ServicerunningWerSvc/40**0ñ3Ô*jàCÍ S—ÞÅ& …!|@€€Ô*jàCÍüLñ3 ÞáÜ4 >Windows Error Reporting ServicestoppedWerSvc/10**àò3PÍ3éCÍ ¼"_Ý®¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  4 ·!NZ PÍ3éCÍ $ò3Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh¹ÝLCh´y…ÓÒmÖ»Í dÿÿX—Aÿÿ¿=TSId Aÿÿ%¿=UserSid —*gy TJ¶‡(~Qà**(ó3 TõCÍ S—ÞÅ& }!|@€€ TõCÍüLó3 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**(ô3(f³˜DÍ S—ÞÅ& y!|@€€(f³˜DÍüô3 ÞáÜ4 4Multimedia Class SchedulerstoppedMMCSS/1(**Èõ3¨ 1EÍ rBøëÞrBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! A!}€€¨ 1EÍõ3 FÓìDFÓì%g>¶9×{p(é4ÿÿ(— ¿ ˜ R€176785260300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÈ**(ö3 ¿ôZEÍ S—ÞÅ& }!|@€€ ¿ôZEÍüö3 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**(÷3¸÷J®MÍ S—ÞÅ& }!|@€€¸÷J®MÍü$÷3 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(** ø3¢hNÍ S—ÞÅ& Û!…@€€¢hNÍü$ø3—*gy TJ¶‡(~‰ YA¶&!YA¶&§Ÿï)Úì ÛY„ÿÿ—Aÿÿ-¿= ServiceName Aÿÿ)¿= ImagePath Aÿÿ-¿= ServiceType Aÿÿ)¿= StartType Aÿÿ-¿= AccountName  2"PsExec%SystemRoot%\PSEXESVC.EXEuser mode servicedemand startLocalSystem **ù3ð„»NÍ S—ÞÅ& W!|@€€ð„»NÍü0ù3 ÞáÜ4  PsExecrunningPSEXESVC/4**ú3’kNÍ S—ÞÅ& W!|@€€’kNÍü$ú3 ÞáÜ4  PsExecstoppedPSEXESVC/1**€û3ÂŒNÍ S—ÞÅ& µ!…@€€ÂŒNÍü$û3—*gy TJ¶‡(~‰ YA¶&! 2"PsExec%SystemRoot%\PSEXESVC.EXEuser mode servicedemand startLocalSystem€**ü3’¢ ŒNÍ S—ÞÅ& W!|@€€’¢ ŒNÍüLü3 ÞáÜ4  PsExecrunningPSEXESVC/4**(ý3Þ™<òOÍ S—ÞÅ& }!|@€€Þ™<òOÍü˜ ý3 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**þ3ŽÄµPÍ S—ÞÅ& W!|@€€ŽÄµPÍü$"þ3 ÞáÜ4  PsExecstoppedPSEXESVC/1**€ÿ3¬8•ÂPÍ S—ÞÅ& µ!…@€€¬8•ÂPÍü$"ÿ3—*gy TJ¶‡(~‰ YA¶&! 2"PsExec%SystemRoot%\PSEXESVC.EXEuser mode servicedemand startLocalSystem€**4žÂPÍ S—ÞÅ& W!|@€€žÂPÍüp 4 ÞáÜ4  PsExecrunningPSEXESVC/4**(4¸UuÃPÍ S—ÞÅ& }!|@€€¸UuÃPÍüp 4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**`4àTQÍ S—ÞÅ& ±!|@€€àTQÍüÌ4 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**84ðËŠ^QÍ S—ÞÅ& !|@€€ðËŠ^QÍüÌ4 ÞáÜ4 2&Windows Modules Installerrunning&TrustedInstaller/48**(4¸)RÍ S—ÞÅ& }!|@€€¸)RÍü4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**X4Ø.aÈRÍ S—ÞÅ&  ¡!€@€€Ø.aÈRÍü”4 cÒ3p2 Windows Modules Installerdemand startauto startTrustedInstallerX**X4ZüQÉRÍ S—ÞÅ&  ¡!€@€€ZüQÉRÍü”4 cÒ3p2 Windows Modules Installerauto startdemand startTrustedInstallerX**84’˜nÉRÍ S—ÞÅ& !|@€€’˜nÉRÍü”4 ÞáÜ4 2&Windows Modules Installerstopped&TrustedInstaller/18**`4ö¢SÍ S—ÞÅ& ±!|@€€ö¢SÍü 4 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**( 4Ç\TÍ S—ÞÅ& }!|@€€Ç\TÍüÄ 4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**( 4É™ëVÍ S—ÞÅ& }!|@€€É™ëVÍüÌ 4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**( 4C9ÈXÍ S—ÞÅ& }!|@€€C9ÈXÍü° 4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**0 4^k»YÍ S—ÞÅ& …!|@€€^k»YÍü4 4 ÞáÜ4 >Windows Error Reporting ServicerunningWerSvc/40**0 4^ òZÍ S—ÞÅ& …!|@€€^ òZÍüÀ# 4 ÞáÜ4 >Windows Error Reporting ServicestoppedWerSvc/10**(4ÎuE![Í S—ÞÅ& }!|@€€ÎuE![Íüä"4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**(4^QØ0\Í S—ÞÅ& }!|@€€^QØ0\Íüˆ!4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**(4¬ôB_Í S—ÞÅ& }!|@€€¬ôB_Íüè4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**(4j-JaÍ S—ÞÅ& }!|@€€j-JaÍü\ 4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**04^ª–•bÍ S—ÞÅ& …!|@€€^ª–•bÍüÐ4 ÞáÜ4 >Windows Error Reporting ServicerunningWerSvc/40**04Ž}lßbÍ S—ÞÅ& …!|@€€Ž}lßbÍü44 ÞáÜ4 >Windows Error Reporting ServicestoppedWerSvc/10**(4Bâ–cÍ S—ÞÅ& }!|@€€Bâ–cÍü, 4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**¸4þX6FrÍ ¼"_Ý®  @ ­!€þX6FrÍ8`4Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ×Ez <ÕÐ!ö{ôA²»Äjÿÿ^—Aÿÿ%¿=NewTime Aÿÿ%¿=OldTime Á¼ErÍ*˜Á#r͸**ˆ4T‚•§sÍ S—ÞÅ& ½!…@€€T‚•§sÍül4—*gy TJ¶‡(~Z YA¶&!"$"FResponse Servicef-response-ent.exeuser mode servicedemand startLocalSystemˆ**x4ª¨sÍ S—ÞÅ&  ¿!…@€€ª¨sÍüÌ4 YA¶&!J$MnemosyneC:\Windows\system32\Mnemosyne_x64.syskernel mode driverdemand startx**(4Ê_רsÍ S—ÞÅ& !|@€€Ê_רsÍüÌ4 ÞáÜ4 "(FResponse Servicerunning(FResponse Service/4(**4ì‚é½zÍ S—ÞÅ& e!|@€€ì‚é½zÍü4 ÞáÜ4 $ Volume Shadow Copyrunning VSS/4**@4šÏ¾zÍ S—ÞÅ& “!|@€€šÏ¾zÍü8 4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerrunningswprv/4@**(4ñ ÚzÍ S—ÞÅ& y!|@€€ñ ÚzÍüŒ4 ÞáÜ4 4Multimedia Class SchedulerrunningMMCSS/4(**4VE{Í S—ÞÅ& e!|@€€VE{ÍüŒ4 ÞáÜ4 $ Volume Shadow Copystopped VSS/1**(4äMy{Í S—ÞÅ& y!|@€€äMy{Íü 4 ÞáÜ4 4Multimedia Class SchedulerstoppedMMCSS/1(**@4"Ã\°{Í S—ÞÅ& “!|@€€"Ã\°{Íü 4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerstoppedswprv/1@**4NœÜ§Í S—ÞÅ& e!|@€€NœÜ§Íül4 ÞáÜ4 $ Volume Shadow Copyrunning VSS/4**@ 4ˆè§Í S—ÞÅ& “!|@€€ˆè§Íü  4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerrunningswprv/4@**!4JˆŽ©Í S—ÞÅ& m!|@€€JˆŽ©Íül!4 ÞáÜ4 &Software Protectionrunningsppsvc/4**"4êRÍ‚Í S—ÞÅ& e!|@€€êRÍ‚Íü "4 ÞáÜ4 $ Volume Shadow Copystopped VSS/1**#4€xT]‚Í S—ÞÅ& m!|@€€€xT]‚Íü$#4 ÞáÜ4 &Software Protectionstoppedsppsvc/1**@$4ê$‚Í S—ÞÅ& “!|@€€ê$‚Íü°$4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerstoppedswprv/1@**%4Q@½©Í S—ÞÅ& e!|@€€Q@½©Íüx%4 ÞáÜ4 $ Volume Shadow Copyrunning VSS/4**@&4ŸN½©Í S—ÞÅ& “!|@€€ŸN½©Íü8"&4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerrunningswprv/4@**8'4Vô"ªÍ S—ÞÅ& !|@€€Vô"ªÍü8"'4 ÞáÜ4 2&Windows Modules Installerrunning&TrustedInstaller/48**(4 ¨ð(ªÍ S—ÞÅ& e!|@€€ ¨ð(ªÍü(4 ÞáÜ4 $ Volume Shadow Copystopped VSS/1**@)4 z:”ªÍ S—ÞÅ& “!|@€€ z:”ªÍü<)4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerstoppedswprv/1@**X*4Rm‰«Í S—ÞÅ&  ¡!€@€€Rm‰«Íü@*4 cÒ3p2 Windows Modules Installerdemand startauto startTrustedInstallerX**X+4èŠ«Í S—ÞÅ&  ¡!€@€€èŠ«Íü@+4 cÒ3p2 Windows Modules Installerauto startdemand startTrustedInstallerX**8,4ÀŠ«Í S—ÞÅ& !|@€€ÀŠ«Íü@,4 ÞáÜ4 2&Windows Modules Installerstopped&TrustedInstaller/18**`-4ÚˆµbèÍ S—ÞÅ& ±!|@€€ÚˆµbèÍü -4 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8.4FèølèÍ S—ÞÅ& !|@€€FèølèÍüp.4 ÞáÜ4 2&Windows Modules Installerrunning&TrustedInstaller/48**X/4üS»×éÍ S—ÞÅ&  ¡!€@€€üS»×éÍü/4 cÒ3p2 Windows Modules Installerdemand startauto startTrustedInstallerX**X04ùÃØéÍ S—ÞÅ&  ¡!€@€€ùÃØéÍü04 cÒ3p2 Windows Modules Installerauto startdemand startTrustedInstallerX**814H¼çØéÍ S—ÞÅ& !|@€€H¼çØéÍü14 ÞáÜ4 2&Windows Modules Installerstopped&TrustedInstaller/18**`24Ú‹Ë°êÍ S—ÞÅ& ±!|@€€Ú‹Ë°êÍü24 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**834bP:qöÍ ¼"_Ý®  4 ;!MY bP:qöÍ<34Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh¹—*gy TJ¶‡(~Q8**@44p²™yöÍ S—ÞÅ& “!|@€€p²™yöÍü˜44 ÞáÜ4 DPortable Device Enumerator ServicerunningWPDBusEnum/4@**(54&¬€~öÍ S—ÞÅ& y!|@€€&¬€~öÍüX54 ÞáÜ4 4Multimedia Class SchedulerrunningMMCSS/4(**(64ê„öÍ S—ÞÅ& }!|@€€ê„öÍüø!64 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**`74>çŠöÍ S—ÞÅ& ±!|@€€>çŠöÍüX74 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**`84§$ÐöÍ S—ÞÅ&  ¥!€@€€§$ÐöÍüX84 cÒ3pNBackground Intelligent Transfer Servicedemand startauto startBITS`**94m4²öÍ S—ÞÅ& m!|@€€m4²öÍüX94 ÞáÜ4 &Software Protectionrunningsppsvc/4**@:4ŠT1ÁöÍ S—ÞÅ& “!|@€€ŠT1ÁöÍüø!:4 ÞáÜ4 DPortable Device Enumerator ServicestoppedWPDBusEnum/1@**;4”ùÞÜöÍ S—ÞÅ& e!|@€€”ùÞÜöÍü@;4 ÞáÜ4 $ Volume Shadow Copyrunning VSS/4**@<4ÔôeÞöÍ S—ÞÅ& “!|@€€ÔôeÞöÍüø!<4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerrunningswprv/4@**=4aTPp÷Í S—ÞÅ& e!|@€€aTPp÷Íü¬=4 ÞáÜ4 $ Volume Shadow Copystopped VSS/1**(>43´·÷Í S—ÞÅ& y!|@€€3´·÷ÍüÜ>4 ÞáÜ4 4Multimedia Class SchedulerstoppedMMCSS/1(**@?4«)Û÷Í S—ÞÅ& “!|@€€«)Û÷Íü¬?4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerstoppedswprv/1@**@4yYBøÍ S—ÞÅ& m!|@€€yYBøÍüÜ@4 ÞáÜ4 &Software Protectionstoppedsppsvc/1**(A4c.œGøÍ S—ÞÅ& }!|@€€c.œGøÍü|A4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**(B4y¿¿†øÍ S—ÞÅ& }!|@€€y¿¿†øÍü€B4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**(C4Ôè¾úÍ S—ÞÅ& }!|@€€Ôè¾úÍüˆC4 ÞáÜ4 ,Application ExperiencestoppedAeLookupSvc/1(**`D4Êí_ñúÍ S—ÞÅ& ±!|@€€Êí_ñúÍü D4 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(E4<Ó¡ûÍ S—ÞÅ& }!|@€€<Ó¡ûÍü|E4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(**F4mZµ*ýÍ S—ÞÅ& m!|@€€mZµ*ýÍü"F4 ÞáÜ4 &Software Protectionrunningsppsvc/4**G4MäS6ýÍ S—ÞÅ& e!|@€€MäS6ýÍü"G4 ÞáÜ4 $ Volume Shadow Copyrunning VSS/4**@H4Cg6ýÍ S—ÞÅ& “!|@€€Cg6ýÍü"H4 ÞáÜ4 NMicrosoft Software Shadow Copy Providerrunningswprv/4@**(I4ÀTFLýÍ S—ÞÅ& y!|@€€ÀTFLýÍüd I4 ÞáÜ4 4Multimedia Class SchedulerrunningMMCSS/4(**øJ4꼃þÍ ¼"_Ý®  @ ß! €ê¼ƒþÍ¥…ðð J4Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System /«w‰u†/«w‰mU©WFó­ÿ”Š~ÿÿr—Aÿÿ/¿!= MajorVersion Aÿÿ/¿!= MinorVersion Aÿÿ/¿!= BuildVersion Aÿÿ+¿= QfeVersion Aÿÿ3¿%=ServiceVersion Aÿÿ'¿=BootMode Aÿÿ)¿= StartTime ±?EÀ§ƒþÍø**èK4JÄø…þÍ ¼"_Ý®  > Ñ!€JÄø…þÍ…ðð K4Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7k‰¼w7‘Þ->´v«SZGslÿÿ`—Aÿÿ-¿= FinalStatus Aÿÿ;¿-=DeviceVersionMajor Aÿÿ;¿-=DeviceVersionMinor Aÿÿ7¿)=DeviceNameLength Aÿÿ+¿= DeviceName Aÿÿ+¿= DeviceTime FileInfo€¶ÊíðÊè**XL4øñ¢þÍ rBøëÞ ©!x€€øñ¢þÍL4 FÓìDF@9:59:13 AM 4/ 6/ 20121846932@Ü ; Ü ; ` <` °¿YX**8M4øñ¢þÍ rBøëÞ ‹!y€€øñ¢þÍM4 FÓìDh6.01.7601Service Pack 1Multiprocessor Free175148**èN4øñ¢þÍ rBøëÞ ;!u€€øñ¢þÍN4 FÓìDÜ,}è**˜O4øñ¢þÍ rBøëÞ ë!}€€øñ¢þÍO4 FÓìDH€5260300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local˜**`P4ÿªŒþÍ ¼"_Ý®  < E!?)€ÿªŒþÍ… ¥$P4Microsoft-Windows-Kernel-Power:;3 ÂD¬^w" 7Ö´System ùœ¿Âa’ùœ¿Â¡J|¿®O…§¼ÒÿÿÆ—Aÿÿ/¿!= BugcheckCode Aÿÿ;¿-=BugcheckParameter1 Aÿÿ;¿-=BugcheckParameter2 Aÿÿ;¿-=BugcheckParameter3 Aÿÿ;¿-=BugcheckParameter4 Aÿÿ5¿'=SleepInProgress  Aÿÿ?¿1=PowerButtonTimestamp    `**Q4âÏ©þÍ ¼"_Ý®  P í!€âÏ©þÍ| 0«$<Q4Microsoft-Windows-Kernel-Processor-PowerŸägQþŸN´o)HÌ`'System ÿJ¶–Õ•ÿJ¶–°e8©R°_éÕÌ~šÿÿŽ—Aÿÿ!¿=Group Aÿÿ#¿=Number Aÿÿ3¿%=IdleStateCount Aÿÿ3¿%=PerfStateCount Aÿÿ;¿-=ThrottleStateCount AÿÿI—Z  ComplexData= IdleState ŽAÿÿ)—= PerfState Ž**R4âv¡þÍ S—ÞÅ& e!|@€€âv¡þÍ$€R4 ÞáÜ4 Plug and PlayrunningPlugPlay/4**hS4âv¡þÍ Ü¸,ö˜Þܸ,Ë™ ŸîuJˆ§7j°=Aÿÿ1Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · $)›F5DUserData!  2 !b*N€âv¡þÍPß…œ¬S4Microsoft-Windows-UserPnpP ô–1~›]ÏInstallSubsystemState ÿÿ>à˜ ¡ÝCachingSubsystemState    h**øT4L¼¡þÍ S—ÞÅ& O!|@€€L¼¡þÍ$€T4 ÞáÜ4  PowerrunningPower/4ø**`U4®î¡þÍ ¼"_Ý®  > G!€®î¡þÍPß…<U4Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7k‰ luafv€x‰ÈïÊ`**0V4ü‰A¢þÍ S—ÞÅ& ‡!|@€€ü‰A¢þÍ$€V4 ÞáÜ4 8DCOM Server Process LauncherrunningDcomLaunch/40**(W4&ÿV¢þÍ S—ÞÅ& y!|@€€&ÿV¢þÍ$€W4 ÞáÜ4 &RPC Endpoint MapperrunningRpcEptMapper/4(**(X4zé¢þÍ S—ÞÅ& {!|@€€zé¢þÍ$€X4 ÞáÜ4 6Remote Procedure Call (RPC)runningRpcSs/4(**Y4ú£þÍ S—ÞÅ& m!|@€€ú£þÍ$ˆY4 ÞáÜ4 "Windows Event Logrunningeventlog/4**(Z427£þÍ S—ÞÅ& y!|@€€27£þÍ$tZ4 ÞáÜ4 4Multimedia Class SchedulerrunningMMCSS/4(**H[4ðÆãþÍ S—ÞÅ& Ÿ!|@€€ðÆãþÍ$t[4 ÞáÜ4 <.Windows Audio Endpoint Builderrunning.AudioEndpointBuilder/4H**\4J)Æ£þÍ S—ÞÅ& e!|@€€J)Æ£þÍ$`\4 ÞáÜ4 Windows AudiorunningAudioSrv/4**]4Ð76¤þÍ S—ÞÅ& S!|@€€Ð76¤þÍ$t]4 ÞáÜ4  ThemesrunningThemes/4**^4¼˜W¤þÍ S—ÞÅ& k!|@€€¼˜W¤þÍ$`^4 ÞáÜ4 &Group Policy Clientrunninggpsvc/4** _4¼˜W¤þÍ S—ÞÅ& q!|@€€¼˜W¤þÍ$`_4 ÞáÜ4 (User Profile ServicerunningProfSvc/4 **`42Ih¤þÍ S—ÞÅ& i!|@€€2Ih¤þÍ$``4 ÞáÜ4 Offline FilesrunningCscService/4** a4Ìö¶¤þÍ S—ÞÅ& s!|@€€Ìö¶¤þÍ$`a4 ÞáÜ4 "COM+ Event SystemrunningEventSystem/4 **0b4B§Ç¤þÍ S—ÞÅ& …!|@€€B§Ç¤þÍ$`b4 ÞáÜ4 BSystem Event Notification ServicerunningSENS/40**@c4“Ó¤þÍ S—ÞÅ& ‘!|@€€“Ó¤þÍ$`c4 ÞáÜ4 LDesktop Window Manager Session ManagerrunningUxSms/4@** d4“Ó¤þÍ S—ÞÅ& w!|@€€“Ó¤þÍ$`d4 ÞáÜ4 2Security Accounts ManagerrunningSamSs/4 **`e4¥þÍ S—ÞÅ& µ!|@€€¥þÍ$`e4 ÞáÜ4 lWindows Driver Foundation - User-mode Driver Frameworkrunningwudfsvc/4`**(f4Z´V¥þÍ S—ÞÅ& !|@€€Z´V¥þÍ$`f4 ÞáÜ4 > Network Store Interface Servicerunning nsi/4(** g4‰¬¥þÍ S—ÞÅ& s!|@€€‰¬¥þÍ$`g4 ÞáÜ4 *TCP/IP NetBIOS Helperrunninglmhosts/4 **Ph4j¶¥þÍ ¼"_Ý®  : 9!Dtà j¶¥þÍPß…D„h4Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem Ý&Îîg¶Ý&ÎîË|Ö Žp)·cîÿÿ—P**(i4”‡Ë¥þÍ ¼"_Ý®  > !>fÇ ”‡Ë¥þÍ8Þ…á…Dti4Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem Ý&Îîg¶(**j4îéÍ¥þÍ S—ÞÅ& Y!|@€€îéÍ¥þÍ$tj4 ÞáÜ4 DHCP ClientrunningDhcp/4**k4îéÍ¥þÍ S—ÞÅ& _!|@€€îéÍ¥þÍ$`k4 ÞáÜ4 DNS ClientrunningDnscache/4**8l4¢®Ò¥þÍ S—ÞÅ& ‹!|@€€¢®Ò¥þÍ$`l4 ÞáÜ4 0&Shell Hardware Detectionrunning&ShellHWDetection/48**m4”´ü¦þÍ S—ÞÅ& g!|@€€”´ü¦þÍ$`m4 ÞáÜ4 Task SchedulerrunningSchedule/4**n48HÓ§þÍ S—ÞÅ& c!|@€€8HÓ§þÍ$„n4 ÞáÜ4 Print SpoolerrunningSpooler/4**`o4¬¶§þÍ åÃ}>V½åÃ}>³ö8±¡EÅPEžÛAÏMsj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿGøAÿÿÔËF=*Microsoft-Windows-WER-SystemErrorReportingF†&{ABCE23E7-DE45-4366-8631-84FA6C525952}íBugCheckAS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFFAÿÿ‚F§Ì ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! Å!é@€¬¶§þÍo4 ²¤ÁÔÀ¹²¤Á{vEê`QØi^ž_ãÿÿ„—Aÿÿ#¿=param1 Aÿÿ#¿=param2 Aÿÿ#¿=param3 ¶*0x00010001 (0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000)C:\Windows\MEMORY.DMP040612-50390-01`**p4VÍ9¨þÍ S—ÞÅ& k!|@€€VÍ9¨þÍ$`p4 ÞáÜ4 * Base Filtering Enginerunning BFE/4**q4(¥¨þÍ S—ÞÅ& g!|@€€(¥¨þÍ$`q4 ÞáÜ4  Windows FirewallrunningMpsSvc/4** r4ø)¸¨þÍ S—ÞÅ& s!|@€€ø)¸¨þÍ$`r4 ÞáÜ4 (Workstationrunning(LanmanWorkstation/4 **s4"ŸÍ¨þÍ S—ÞÅ& [!|@€€"ŸÍ¨þÍ$`s4 ÞáÜ4 NetlogonrunningNetlogon/4** t47G©þÍ S—ÞÅ& w!|@€€7G©þÍ$`t4 ÞáÜ4 ,Cryptographic ServicesrunningCryptSvc/4 ** u4àIZ©þÍ S—ÞÅ& s!|@€€àIZ©þÍ$„u4 ÞáÜ4 2 Diagnostic Policy Servicerunning DPS/4 **Pv4<=¬þÍ S—ÞÅ& §!|@€€<=¬þÍ$ˆv4 ÞáÜ4 P"McAfee Host Intrusion Prevention Servicerunning"enterceptAgent/4P**xw4ü¥°þÍ S—ÞÅ& Ï!|@€€ü¥°þÍ$àw4 ÞáÜ4 JPMcAfee SiteAdvisor Enterprise ServicerunningPMcAfee SiteAdvisor Enterprise Service/4x**8x4b%r±þÍ S—ÞÅ& ‰!|@€€b%r±þÍ$àx4 ÞáÜ4 0$McAfee Framework Servicerunning$McAfeeFramework/48**Hy4 'ù²þÍ S—ÞÅ& ›!|@€€ 'ù²þÍ$ày4 ÞáÜ4 TMcAfee Validation Trust Protection Servicerunningmfevtp/4H**0z4€× ³þÍ ¼"_Ý®  P !É€€× ³þÍ|Lz4Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&Îîg¶0**@{4€× ³þÍ S—ÞÅ& •!|@€€€× ³þÍ$ˆ{4 ÞáÜ4 NProgram Compatibility Assistant ServicerunningPcaSvc/4@**0|4¼áÖ³þÍ S—ÞÅ& ‡!|@€€¼áÖ³þÍ$ˆ|4 ÞáÜ4 @Distributed Link Tracking ClientrunningTrkWks/40**(}4ö´K´þÍ S—ÞÅ& {!|@€€ö´K´þÍ$ˆ}4 ÞáÜ4 4Network Location AwarenessrunningNlaSvc/4(** ~4^>U´þÍ S—ÞÅ& q!|@€€^>U´þÍ$ˆ~4 ÞáÜ4 (VMware Tools ServicerunningVMTools/4 **84 Ô3°þÍ ¼"_Ý®  @ +!€ Ô3°þÍlÀ4Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ×E Ô3°þÍÎvŽ´þÍ8**8€4z66°þÍ S—ÞÅ& !|@€€z66°þÍ$à€4 ÞáÜ4 DWindows Management InstrumentationrunningWinmgmt/48**(4Þ~À°þÍ S—ÞÅ& {!|@€€Þ~À°þÍ$ˆ4 ÞáÜ4 & McAfee Task Managerrunning McTaskManager/4(**‚4þ:±þÍ S—ÞÅ& i!|@€€þ:±þÍ$ˆ‚4 ÞáÜ4 McAfee McShieldrunningMcShield/4**0ƒ4š&²þÍ S—ÞÅ& ƒ!|@€€š&²þÍ$ˆƒ4 ÞáÜ4 *$VMware Upgrade Helperrunning$VMUpgradeHelper/40**„4€p²þÍ S—ÞÅ& ]!|@€€€p²þÍ$ˆ„4 ÞáÜ4 IP Helperrunningiphlpsvc/4**…4Èì²þÍ S—ÞÅ& _!|@€€Èì²þÍ$„…4 ÞáÜ4  ServerrunningLanmanServer/4**0†4ò+Æ·þÍ S—ÞÅ& !|@€€ò+Æ·þÍ$„†4 ÞáÜ4 8McAfee Firewall Core Servicerunningmfefire/40**(‡4’Qì·þÍ S—ÞÅ& }!|@€€’Qì·þÍ$„‡4 ÞáÜ4 ,Application ExperiencerunningAeLookupSvc/4(** ˆ4®Ÿú·þÍ S—ÞÅ& s!|@€€®Ÿú·þÍ$Àˆ4 ÞáÜ4 (Network List Servicerunningnetprofm/4 **0‰4¼Æ¸þÍ S—ÞÅ& …!|@€€¼Æ¸þÍ$À‰4 ÞáÜ4 ."Diagnostic Service Hostrunning"WdiServiceHost/40**(Š4¼Æ¸þÍ S—ÞÅ& !|@€€¼Æ¸þÍ$Š4 ÞáÜ4 .Remote Desktop ServicesrunningTermService/4(**0‹4Š%¸þÍ S—ÞÅ& !|@€€Š%¸þÍ$‹4 ÞáÜ4 , Diagnostic System Hostrunning WdiSystemHost/40**Œ4üN¸þÍ S—ÞÅ& a!|@€€üN¸þÍ$Œ4 ÞáÜ4 Windows TimerunningW32Time/4**@4VtP¸þÍ S—ÞÅ& “!|@€€VtP¸þÍ$4 ÞáÜ4 DPortable Device Enumerator ServicerunningWPDBusEnum/4@**Ž4Î[¹¸þÍ S—ÞÅ& m!|@€€Î[¹¸þÍ$ÀŽ4 ÞáÜ4  Windows DefenderrunningWinDefend/4**4h ¹þÍ S—ÞÅ& m!|@€€h ¹þÍ$4 ÞáÜ4  Windows DefenderstoppedWinDefend/1**`4 ¥$¹þÍ S—ÞÅ& ±!|@€€ ¥$¹þÍ$À4 ÞáÜ4 P,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**(‘4V5¹þÍ S—ÞÅ& !|@€€V5¹þÍ$‘4 ÞáÜ4 .Certificate PropagationrunningCertPropSvc/4(**0’4$}<¹þÍ S—ÞÅ& ‡!|@€€$}<¹þÍ$’4 ÞáÜ4 8Remote Desktop ConfigurationrunningSessionEnv/40**@“42¤C¹þÍ ¼"_Ý®  < :!%€2¤C¹þÍü¬“4Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ï…ý>ƒìï…ý>Á#å×­ä5TñAÿÿƒ—G=TMP_EVENT_TIME_SOURCE_REACHABLEAÿÿ+¿= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)@**”4¢ ®ºþÍ S—ÞÅ& i!|@€€¢ ®ºþÍ$„”4 ÞáÜ4  Computer BrowserrunningBrowser/4** •4<_½þÍ S—ÞÅ& u!|@€€<_½þÍ$„•4 ÞáÜ4 $IPsec Policy AgentrunningPolicyAgent/4 **`–4耖¿þÍ S—ÞÅ& ³!|@€€è€–¿þÍ$„–4 ÞáÜ4 `Remote Desktop Services UserMode Port RedirectorrunningUmRdpService/4`**8—44ôÁþÍ ¼"_Ý®  < 4!#€4ôÁþÍü0—4Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ÌÂÕ[ò®ÌÂÕu»Þj—\„ꃉAÿÿ}—A=TMP_EVENT_TIME_SOURCE_CHOSENAÿÿ+¿= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.4:123)8**8˜4¤£ÝþÍ ¼"_Ý®  4 ;!MY ¤£ÝþÍ ˜4Microsoft-Windows-Winlogonƒ³éÛó|1C‘̣ˣµ8System ÝLCh¹—*gy TJ¶‡(~Q8**™4J÷FÿþÍ S—ÞÅ& i!|@€€J÷FÿþÍ$X™4 ÞáÜ4 "CNG Key IsolationrunningKeyIso/4**š4XÂÿÍ S—ÞÅ& _!|@€€XÂÿÍ$Xš4 ÞáÜ4 WebClientrunningWebClient/4**@›4^0­ÿÍ S—ÞÅ& ‘!|@€€^0­ÿÍ$ì›4 ÞáÜ4 NBackground Intelligent Transfer ServicerunningBITS/4@**xœ4éKÿÍ S—ÞÅ& Ï!|@€€éKÿÍ$œ4 ÞáÜ4 XBMicrosoft .NET Framework NGEN v4.0.30319_X86runningBclr_optimization_v4.0.30319_32/4x**x4éKÿÍ S—ÞÅ& Ï!|@€€éKÿÍ$4 ÞáÜ4 XBMicrosoft .NET Framework NGEN v4.0.30319_X86stoppedBclr_optimization_v4.0.30319_32/1x**0ž4CŠÿÍ S—ÞÅ& …!|@€€CŠÿÍ$ž4 ÞáÜ4 >Windows Error Reporting ServicerunningWerSvc/40**Ÿ4XÛÿÍ S—ÞÅ& e!|@€€XÛÿÍ$„Ÿ4 ÞáÜ4 SSDP DiscoveryrunningSSDPSRV/4**x 4˜ìuÿÍ S—ÞÅ& Ï!|@€€˜ìuÿÍ$ 4 ÞáÜ4 XBMicrosoft .NET Framework NGEN v4.0.30319_X64runningBclr_optimization_v4.0.30319_64/4x S—ÞÅ& |@€€˜ìuÿÍ$¡4 ÞáÜ4 XMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBElfChnk‘A¡4Q5€0õö½=ÆÁÒ@Áö‹ÌÁ³=Šk[k§f›l”àlöзt?ø)j‚M+“t058%>4kÓº}UÕdsXaa¶!o†ög&d**¡4˜ìuÿÍ S—ÞÅ&S—ÞÅB•”"ó[¥ˆå›AMº Event‡j¼xmlns5http://schemas.microsoft.com/win/2004/08/events/eventÿÿßøoTSystemAÿÿ2ñ{ProviderF=K•NameService Control ManagerF†)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}í`ÖEventSourceNameService Control ManagerAMSõaEventID't†)Ú Qualifiers "§ Version ÐdÎLevelõE{Task ®Opcode$?jÏKeywordsAÿÿPj;Ž TimeCreated'“j<{ SystemTime .ÁF EventRecordID Aÿÿ…ö¢ò Correlation\F ñ ActivityIDFS5ÅRelatedActivityIDAÿÿm‚¸µ ExecutionHF§ × ProcessIDÌõ…9ThreadID ÿÿ.öƒaChannelSystemÿÿb+j;nComputerWKS-WIN764BITB.shieldbase.localAÿÿB”í .Security·fLUserID ! ¢!|@€€˜ìuÿÍ$¡4 ÞáÜ4dÞáÜ4v¢ä“ú*…M^pâ»ÿÿ¯‹D‚ EventDataAÿÿ5³§ŠoData=param1 Aÿÿ#³=param2 ÿÿ  !¸Binary XBMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBclr_optimization_v4.0.30319_64/1l**0¢4®µ±ÿÍ S—ÞÅ& !|@€€®µ±ÿÍ$„¢4 ÞáÜ4d4Windows Font Cache ServicerunningFontCache/4and 0**£4;‰¹ ÿÍ S—ÞÅ& m!|@€€;‰¹ ÿÍ$„£4 ÞáÜ4d&Software Protectionrunningsppsvc/4**¤4ƒÎg ÿÍ S—ÞÅ& e!|@€€ƒÎg ÿÍ$¤4 ÞáÜ4dSecurity Centerrunningwscsvc/4lz…**¥4ݼ¦ ÿÍ S—ÞÅ& m!|@€€Ý¼¦ ÿÍ$¥4 ÞáÜ4d&Network ConnectionsrunningNetman/4in**¦4SXIÿÍ S—ÞÅ& e!|@€€SXIÿÍ$¦4 ÞáÜ4dWindows SearchrunningWSearch/4b **§4Q ÿÍ S—ÞÅ& g!|@€€Q ÿÍ$§4 ÞáÜ4dWindows Updaterunningwuauserv/4á**@¨4?æ5ÿÍ S—ÞÅ& “!|@€€?æ5ÿÍ$X¨4 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**0©4‘%KÿÍ S—ÞÅ& …!|@€€‘%KÿÍ$X©4 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**ª4]Ó½¸ÿÍ S—ÞÅ& W!|@€€]Ó½¸ÿÍ$ª4 ÞáÜ4d PsExecrunningPSEXESVC/4**«4ÖÒl¹ÿÍ S—ÞÅ& W!|@€€ÖÒl¹ÿÍ$$ «4 ÞáÜ4d PsExecstoppedPSEXESVC/1**¬4oÂ(ÆÿÍ S—ÞÅ& m!|@€€oÂ(ÆÿÍ$$ ¬4 ÞáÜ4d&Software Protectionstoppedsppsvc/1**(­49•¼ÐÿÍ S—ÞÅ& y!|@€€9•¼ÐÿÍ$$ ­4 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(®4 ½hÍ S—ÞÅ& }!|@€€ ½hÍ$”®4 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**`¯4‘¥vÍ S—ÞÅ& ±!|@€€‘¥vÍ$”¯4 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**°4ë7GÚÍ S—ÞÅ& e!|@€€ë7GÚÍ$0 °4 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@±4཭ÚÍ S—ÞÅ& “!|@€€à½­ÚÍ$À ±4 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**8²4l” Í S—ÞÅ& !|@€€l” Í$À ²4 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**³4×ÐUGÍ S—ÞÅ& e!|@€€×ÐUGÍ$”³4 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@´4pF¤²Í S—ÞÅ& “!|@€€pF¤²Í$˜´4 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**0µ4¬àÔ?Í S—ÞÅ& !|@€€¬àÔ?Í$ˆ µ4 ÞáÜ4d, Diagnostic System Hoststopped WdiSystemHost/10**(¶4¿1ÆÍ S—ÞÅ&  s!€@€€¿1ÆÍ$ð¶4 cÒ3!cÒ3þœ ©™Î}²F±ôºÿÿ®‹Aÿÿ#³=param1 Aÿÿ#³=param2 Aÿÿ#³=param3 Aÿÿ#³=param4 2 Windows Modules Installerdemand startauto startTrustedInstaller(**X·4¨d¡ÉÍ S—ÞÅ&  ¡!€@€€¨d¡ÉÍ$ð·4 cÒ3!2 Windows Modules Installerauto startdemand startTrustedInstallerX**8¸4Ÿ»ÉÍ S—ÞÅ& !|@€€Ÿ»ÉÍ$ð¸4 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**(¹4¬ž=FÍ S—ÞÅ& }!|@€€¬ž=FÍ$p ¹4 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**`º4uΙiÍ S—ÞÅ&  ¥!€@€€uΙiÍ$` º4 cÒ3!NBackground Intelligent Transfer Serviceauto startdemand startBITS`**(»4±áï«Í S—ÞÅ& }!|@€€±áï«Í$À »4 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**(¼4Îá¦P Í S—ÞÅ& }!|@€€Îá¦P Í$Ä ¼4 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**0½4ðÁ Í S—ÞÅ& …!|@€€ðÁ Í$L½4 ÞáÜ4d>Windows Error Reporting ServicerunningWerSvc/40**0¾4¯ Í S—ÞÅ& …!|@€€¯ Í$d ¾4 ÞáÜ4d>Windows Error Reporting ServicestoppedWerSvc/10**(¿4¤ÉyBÍ S—ÞÅ& }!|@€€¤ÉyBÍ$”¿4 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**ÀÀ4Í@yÍ rBøë.rBøë9S‘(B{ÌuõKÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=EventLogAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! ;!}€€Í@yÍÀ4 FÓìt0FÓì%g>¶9×{p(é4ÿÿ(‹ ³  L€686260300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.localÀ**(Á4€ÞryÍ S—ÞÅ& }!|@€€€ÞryÍ$ôÁ4 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**(Â4ùÏ“Í S—ÞÅ& }!|@€€ùÏ“Í$äÂ4 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**èÃ4ëy´ Í ¼"_Ý5¼"_ÝÖJKlôñ¹®¼9VA Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · !  @ ­!€ëy´ ÍlÀÃ4Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ58z <ÕÐ!ö{ôA²»Äjÿÿ^‹Aÿÿ%³=NewTime Aÿÿ%³=OldTime Ѐ Íž›à|Íè**Ä4€}“ Í TÄÃŒ9TÄÃŒZ-yŸµúÜås MiÃA·Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ/øAÿÿ"=NETLOGONAS t Ð õ ?Aÿÿj “ Á ÿÿöSystemÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · ! “!—€€}“ ÍÄ4 FÓìt0p\\Controller.shieldbase.localSHIELDBASEWKS-WIN764BITB**`Å49 BR Í S—ÞÅ& ±!|@€€9 BR Í$ Å4 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`** Æ4ˆ`t Í S—ÞÅ& Û!…@€€ˆ`t Í$èÆ4—*gy TJ¶‡(~‰ YA¶&%>YA¶&§Ÿï)Úì ÛY„ÿÿ‹Aÿÿ-³= ServiceName Aÿÿ)³= ImagePath Aÿÿ-³= ServiceType Aÿÿ)³= StartType Aÿÿ-³= AccountName  2"PsExec%SystemRoot%\PSEXESVC.EXEuser mode servicedemand startLocalSystem **Ç4e‹½t Í S—ÞÅ& W!|@€€e‹½t Í$@Ç4 ÞáÜ4d PsExecrunningPSEXESVC/4**(È4±ãt Í S—ÞÅ& }!|@€€±ãt Í$@È4 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**É4Ð^2u Í S—ÞÅ& W!|@€€Ð^2u Í$èÉ4 ÞáÜ4d PsExecstoppedPSEXESVC/1**Ê4y“‰!Í S—ÞÅ& m!|@€€y“‰!Í$` Ê4 ÞáÜ4d&Software Protectionrunningsppsvc/4** Ë4ñ÷”Š!Í S—ÞÅ& w!|@€€ñ÷”Š!Í$PË4 ÞáÜ4d.Application InformationrunningAppinfo/4 **Ì4¦®˜!Í S—ÞÅ& e!|@€€¦®˜!Í$` Ì4 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@Í4Aô¼˜!Í S—ÞÅ& “!|@€€Aô¼˜!Í$PÍ4 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**(Î4‚¸¹!Í S—ÞÅ& y!|@€€‚¸¹!Í$¸ Î4 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**Ï4ª‚%"Í S—ÞÅ& e!|@€€ª‚%"Í$¸ Ï4 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**Ð4ˆ;="Í S—ÞÅ& m!|@€€ˆ;="Í$\ Ð4 ÞáÜ4d&Software Protectionstoppedsppsvc/1**(Ñ4jatl"Í S—ÞÅ& y!|@€€jatl"Í$PÑ4 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(Ò4<œÒ{"Í ¼"_Ý5  <  !2€<œÒ{"ÍüP Ò4Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem Љ¦ +M9Љ¦ J…£Þ£§Ÿ™?åAÿÿÙ‹==TMP_EVENT_LOCALCLOCK_UNSETAÿÿK³==TimeDifferenceMilliseconds Aÿÿ9³+=TimeSampleSeconds ˆ„(**@Ó4 Æ["Í S—ÞÅ& “!|@€€ Æ["Í$tÓ4 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`Ô4qx "Í S—ÞÅ& ±!|@€€qx "Í$\ Ô4 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**(Õ4&9ž$Í S—ÞÅ& }!|@€€&9ž$Í$H Õ4 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**(Ö4`”§$Í S—ÞÅ& }!|@€€`”§$Í$`Ö4 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**(×4)Ç(Í S—ÞÅ& }!|@€€)Ç(Í$ ×4 ÞáÜ4d,Application ExperiencestoppedAeLookupSvc/1(**øØ4ÄĈ )Í ¼"_Ý5  @ ß! €ÄĈ )ͦ~P Ñ!€Ê– )Í ~P´v«SZGslÿÿ`‹Aÿÿ-³= FinalStatus Aÿÿ;³-=DeviceVersionMajor Aÿÿ;³-=DeviceVersionMinor Aÿÿ7³)=DeviceNameLength Aÿÿ+³= DeviceName Aÿÿ+³= DeviceTime FileInfo€¶ÊíðÊè**PÚ44#))Í rBøë. ¥!x€€4#))ÍÚ4 FÓìt0B@3:09:23 PM 4/ 6/ 201214071@Ü KÜ K` <` °ïP**8Û44#))Í rBøë. ‹!y€€4#))ÍÛ4 FÓìt0h6.01.7601Service Pack 1Multiprocessor Free175148**èÜ44#))Í rBøë. ;!u€€4#))ÍÜ4 FÓìt0Ü Øè**˜Ý4€Ê»))Í rBøë. ë!}€€€Ê»))ÍÝ4 FÓìt0H€5260300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local˜**`Þ4Lx)Í ¼"_Ý5  < E!?)€Lx)ÍÞ~Þ4Microsoft-Windows-Kernel-Power:;3 ÂD¬^w" 7Ö´System ùœ¿Âaa+Mùœ¿Â¡J|¿®O…§¼ÒÿÿÆ‹Aÿÿ/³!= BugcheckCode Aÿÿ;³-=BugcheckParameter1 Aÿÿ;³-=BugcheckParameter2 Aÿÿ;³-=BugcheckParameter3 Aÿÿ;³-=BugcheckParameter4 Aÿÿ5³'=SleepInProgress  Aÿÿ?³1=PowerButtonTimestamp    `**ß4ÒÚ¬)Í ¼"_Ý5  P í!€ÒÚ¬)ÍÞ~4ß4Microsoft-Windows-Kernel-Processor-PowerŸägQþŸN´o)HÌ`'System ÿJ¶–ÕdÿJ¶–°e8©R°_éÕÌ~šÿÿŽ‹Aÿÿ!³=Group Aÿÿ#³=Number Aÿÿ3³%=IdleStateCount Aÿÿ3³%=PerfStateCount Aÿÿ;³-=ThrottleStateCount AÿÿIfZ  ComplexData= IdleState ŽAÿÿ)f= PerfState Ž**à4`áË')Í S—ÞÅ& e!|@€€`áË')Í `à4 ÞáÜ4dPlug and PlayrunningPlugPlay/4**há4`áË')Í Ü¸,ög.ܸ,Ë™ ŸîuJˆ§7j°=Aÿÿ1Msj5http://schemas.microsoft.com/win/2004/08/events/eventÿÿ‚øAÿÿF=†AS t §  Ð õ  ?Aÿÿj “ Á AÿÿöFF Aÿÿ‚F§Ì  öÿÿH+WKS-WIN764BITB.shieldbase.localAÿÿ” · $)jF5DUserData!  2 !b*N€`áË')ÍÞ~ á4Microsoft-Windows-UserPnpP ô–1~›l]ÏInstallSubsystemState ÿÿ>àl ¡ÝCachingSubsystemState    h**øâ4Tñ()Í S—ÞÅ& O!|@€€Tñ()Í `â4 ÞáÜ4d PowerrunningPower/4ø**`ã4>J()Í ¼"_Ý5  > G!€>J()ÍÞ~@ã4Microsoft-Windows-FilterManagerŽâÅóöcÇI¢äŠÄ°System ¼w7sX luafv€x‰ÈïÊ`**0ä4B‰–()Í S—ÞÅ& ‡!|@€€B‰–()Í `ä4 ÞáÜ4d8DCOM Server Process LauncherrunningDcomLaunch/40**(å4Æ`®()Í S—ÞÅ& y!|@€€Æ`®()Í `å4 ÞáÜ4d&RPC Endpoint MapperrunningRpcEptMapper/4(**(æ4(rà()Í S—ÞÅ& {!|@€€(rà()Í `æ4 ÞáÜ4d6Remote Procedure Call (RPC)runningRpcSs/4(**ç4¸fØ))Í S—ÞÅ& m!|@€€¸fØ))Í „ç4 ÞáÜ4d"Windows Event Logrunningeventlog/4**(è4²î*)Í S—ÞÅ& y!|@€€²î*)Í `è4 ÞáÜ4d4Multimedia Class SchedulerrunningMMCSS/4(**Hé4aT*)Í S—ÞÅ& Ÿ!|@€€aT*)Í `é4 ÞáÜ4d<.Windows Audio Endpoint Builderrunning.AudioEndpointBuilder/4H**ê4aT*)Í S—ÞÅ& e!|@€€aT*)Í pê4 ÞáÜ4dWindows AudiorunningAudioSrv/4**ë4ă¸*)Í S—ÞÅ& S!|@€€Äƒ¸*)Í `ë4 ÞáÜ4d ThemesrunningThemes/4** ì4, Â*)Í S—ÞÅ& q!|@€€, Â*)Í `ì4 ÞáÜ4d(User Profile ServicerunningProfSvc/4 **í4H[Ð*)Í S—ÞÅ& i!|@€€H[Ð*)Í `í4 ÞáÜ4dOffline FilesrunningCscService/4**î4¢½Ò*)Í S—ÞÅ& k!|@€€¢½Ò*)Í `î4 ÞáÜ4d&Group Policy Clientrunninggpsvc/4** ï4ö§ý*)Í S—ÞÅ& s!|@€€ö§ý*)Í `ï4 ÞáÜ4d"COM+ Event SystemrunningEventSystem/4 **0ð4¤ô*+)Í S—ÞÅ& …!|@€€¤ô*+)Í `ð4 ÞáÜ4dBSystem Event Notification ServicerunningSENS/40**@ñ4ÀB9+)Í S—ÞÅ& ‘!|@€€ÀB9+)Í `ñ4 ÞáÜ4dLDesktop Window Manager Session ManagerrunningUxSms/4@** ò4ÀB9+)Í S—ÞÅ& w!|@€€ÀB9+)Í `ò4 ÞáÜ4d2Security Accounts ManagerrunningSamSs/4 **`ó4Ây‘+)Í S—ÞÅ& µ!|@€€Ây‘+)Í `ó4 ÞáÜ4dlWindows Driver Foundation - User-mode Driver Frameworkrunningwudfsvc/4`**(ô4pƾ+)Í S—ÞÅ& !|@€€pƾ+)Í `ô4 ÞáÜ4d> Network Store Interface Servicerunning nsi/4(** õ4ìä+)Í S—ÞÅ& s!|@€€ìä+)Í `õ4 ÞáÜ4d*TCP/IP NetBIOS Helperrunninglmhosts/4 **ö4V¯,)Í S—ÞÅ& _!|@€€V¯,)Í `ö4 ÞáÜ4dDNS ClientrunningDnscache/4**P÷4V¯,)Í ¼"_Ý5  : 9!Dtà V¯,)ÍÞ~4”÷4Microsoft-Windows-Dhcp-Clientø¤§r«N«­ùŠMfjíSystem Ý&Îîo†Ý&ÎîË|Ö Žp)·cîÿÿ‹P**(ø4&Â,)Í ¼"_Ý5  > !>fÇ &Â,)ÍxÝ~4,ø4Microsoft-Windows-DHCPv6-Client+jj8L•¥\«;gxSystem Ý&Îîo†(**ù4&Â,)Í S—ÞÅ& Y!|@€€&Â,)Í `ù4 ÞáÜ4dDHCP ClientrunningDhcp/4**8ú4è­',)Í S—ÞÅ& ‹!|@€€è­',)Í `ú4 ÞáÜ4d0&Shell Hardware Detectionrunning&ShellHWDetection/48**û4ÄÝ-)Í S—ÞÅ& g!|@€€ÄÝ-)Í `û4 ÞáÜ4dTask SchedulerrunningSchedule/4**ü4Ø©*.)Í S—ÞÅ& c!|@€€Ø©*.)Í dü4 ÞáÜ4dPrint SpoolerrunningSpooler/4**ý4^¸š.)Í S—ÞÅ& k!|@€€^¸š.)Í dý4 ÞáÜ4d* Base Filtering Enginerunning BFE/4**þ4úœA/)Í S—ÞÅ& g!|@€€úœA/)Í dþ4 ÞáÜ4d Windows FirewallrunningMpsSvc/4** ÿ4b&K/)Í S—ÞÅ& s!|@€€b&K/)Í dÿ4 ÞáÜ4d(Workstationrunning(LanmanWorkstation/4 **5æýb/)Í S—ÞÅ& [!|@€€æýb/)Í d5 ÞáÜ4dNetlogonrunningNetlogon/4** 5ª Ç/)Í S—ÞÅ& w!|@€€ª Ç/)Í `5 ÞáÜ4d,Cryptographic ServicesrunningCryptSvc/4 ** 5Àöý/)Í S—ÞÅ& s!|@€€Àöý/)Í d5 ÞáÜ4d2 Diagnostic Policy Servicerunning DPS/4 **P5\i5)Í S—ÞÅ& §!|@€€\i5)Í p5 ÞáÜ4dP"McAfee Host Intrusion Prevention Servicerunning"enterceptAgent/4P**x5„®;)Í S—ÞÅ& Ï!|@€€„®;)Í 5 ÞáÜ4dJPMcAfee SiteAdvisor Enterprise ServicerunningPMcAfee SiteAdvisor Enterprise Service/4x**85’U<)Í S—ÞÅ& ‰!|@€€’U<)Í Ð5 ÞáÜ4d0$McAfee Framework Servicerunning$McAfeeFramework/48**H5ª<>)Í S—ÞÅ& ›!|@€€ª<>)Í Ð5 ÞáÜ4dTMcAfee Validation Trust Protection Servicerunningmfevtp/4H**05ÆŠ#>)Í ¼"_Ý5  P !ɀƊ#>)Íd85Microsoft-Windows-Application-ExperienceqNõîa-Bš˜‚ýI@¸ System Ý&Îîo†0**@5ÆŠ#>)Í S—ÞÅ& •!|@€€ÆŠ#>)Í „5 ÞáÜ4dNProgram Compatibility Assistant ServicerunningPcaSvc/4@**0 5PD?)Í S—ÞÅ& ‡!|@€€PD?)Í Ð 5 ÞáÜ4d@Distributed Link Tracking ClientrunningTrkWks/40**( 5bœû?)Í S—ÞÅ& {!|@€€bœû?)Í Ð 5 ÞáÜ4d4Network Location AwarenessrunningNlaSvc/4(**  5¼þý?)Í S—ÞÅ& q!|@€€¼þý?)Í „ 5 ÞáÜ4d(VMware Tools ServicerunningVMTools/4 **8 5¨_@)Í S—ÞÅ& !|@€€¨_@)Í „ 5 ÞáÜ4dDWindows Management InstrumentationrunningWinmgmt/48**8 5šÆ$A)Í ¼"_Ý5  @ +!€šÆ$A)Í\  5Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ58@d"A)Íî"C@)Í8**(5ÄhkB)Í S—ÞÅ& {!|@€€ÄhkB)Í `5 ÞáÜ4d& McAfee Task Managerrunning McTaskManager/4(**5®¿eC)Í S—ÞÅ& i!|@€€®¿eC)Í „5 ÞáÜ4dMcAfee McShieldrunningMcShield/4**05Ü¢+D)Í S—ÞÅ& ƒ!|@€€Ü¢+D)Í „5 ÞáÜ4d*$VMware Upgrade Helperrunning$VMUpgradeHelper/40**5€6E)Í S—ÞÅ& ]!|@€€€6E)Í „5 ÞáÜ4dIP Helperrunningiphlpsvc/4**5ØŽÝE)Í S—ÞÅ& _!|@€€ØŽÝE)Í `5 ÞáÜ4d ServerrunningLanmanServer/4**05M)Í S—ÞÅ& !|@€€M)Í `5 ÞáÜ4d8McAfee Firewall Core Servicerunningmfefire/40**05ϹM)Í S—ÞÅ& …!|@€€Ï¹M)Í d5 ÞáÜ4d."Diagnostic Service Hostrunning"WdiServiceHost/40** 5ϹM)Í S—ÞÅ& s!|@€€Ï¹M)Í d5 ÞáÜ4d(Network List Servicerunningnetprofm/4 **05¦¥ðM)Í S—ÞÅ& !|@€€¦¥ðM)Í d5 ÞáÜ4d, Diagnostic System Hostrunning WdiSystemHost/40**(5ZjõM)Í S—ÞÅ& !|@€€ZjõM)Í d5 ÞáÜ4d.Remote Desktop ServicesrunningTermService/4(**@5v¸N)Í S—ÞÅ& “!|@€€v¸N)Í d5 ÞáÜ4dDPortable Device Enumerator ServicerunningWPDBusEnum/4@**5TòN)Í S—ÞÅ& a!|@€€TòN)Í D5 ÞáÜ4dWindows TimerunningW32Time/4**5FøGO)Í S—ÞÅ& m!|@€€FøGO)Í D5 ÞáÜ4d Windows DefenderrunningWinDefend/4**05ºž1P)Í S—ÞÅ& ‡!|@€€ºž1P)Í D5 ÞáÜ4d8Remote Desktop ConfigurationrunningSessionEnv/40**`5¦ÿRP)Í S—ÞÅ& ±!|@€€¦ÿRP)Í D5 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**(58þqP)Í S—ÞÅ& !|@€€8þqP)Í 5 ÞáÜ4d.Certificate PropagationrunningCertPropSvc/4(**58+£Q)Í S—ÞÅ& m!|@€€8+£Q)Í D5 ÞáÜ4d Windows DefenderstoppedWinDefend/1**5jOèQ)Í S—ÞÅ& i!|@€€jOèQ)Í Ð5 ÞáÜ4d Computer BrowserrunningBrowser/4**@ 5[–R)Í ¼"_Ý5  < :!%€[–R)Íì¼ 5Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ï…ý>¶ï…ý>Á#å×­ä5TñAÿÿƒ‹G=TMP_EVENT_TIME_SOURCE_REACHABLEAÿÿ+³= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.9:123)@** !58ßgV)Í S—ÞÅ& u!|@€€8ßgV)Í Ð!5 ÞáÜ4d$IPsec Policy AgentrunningPolicyAgent/4 **`"5pZ)Í S—ÞÅ& ³!|@€€pZ)Í "5 ÞáÜ4d`Remote Desktop Services UserMode Port RedirectorrunningUmRdpService/4`**8#5> [)Í ¼"_Ý5  < 4!#€> [)ÍìP #5Microsoft-Windows-Time-ServiceëÏíÐSN¬Ê¦ø»øËSystem ÌÂÕÓº5ÌÂÕu»Þj—\„ꃉAÿÿ}‹A=TMP_EVENT_TIME_SOURCE_CHOSENAÿÿ+³= TimeSource |Controller.shieldbase.local (ntp.d|0.0.0.0:123->10.3.58.9:123)8**x$5êÚ))Í S—ÞÅ& Ï!|@€€êÚ))Í $5 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86runningBclr_optimization_v4.0.30319_32/4x**x%5êÚ))Í S—ÞÅ& Ï!|@€€êÚ))Í %5 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X86stoppedBclr_optimization_v4.0.30319_32/1x**@&5Íÿ<)Í S—ÞÅ& “!|@€€Íÿ<)Í &5 ÞáÜ4dDPortable Device Enumerator ServicestoppedWPDBusEnum/1@**x'5䳋)Í S—ÞÅ& Ï!|@€€ä³‹)Í '5 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64runningBclr_optimization_v4.0.30319_64/4x**x(5䳋)Í S—ÞÅ& Ï!|@€€ä³‹)Í (5 ÞáÜ4dXBMicrosoft .NET Framework NGEN v4.0.30319_X64stoppedBclr_optimization_v4.0.30319_64/1x**0)5 ö)Í S—ÞÅ& !|@€€ ö)Í )5 ÞáÜ4d4Windows Font Cache ServicerunningFontCache/40***5qº")Í S—ÞÅ& m!|@€€qº")Í *5 ÞáÜ4d&Software Protectionrunningsppsvc/4**+5yÇU)Í S—ÞÅ& e!|@€€yÇU)Í +5 ÞáÜ4dSecurity Centerrunningwscsvc/4**,5 ñ[–)Í S—ÞÅ& e!|@€€ ñ[–)Í Ì ,5 ÞáÜ4dWindows SearchrunningWSearch/4**-5\\ž)Í S—ÞÅ& g!|@€€\\ž)Í Ì -5 ÞáÜ4dWindows Updaterunningwuauserv/4**(.5£­™Ï)Í S—ÞÅ& y!|@€€£­™Ï)Í è .5 ÞáÜ4d4Multimedia Class SchedulerstoppedMMCSS/1(**(/5Gìê)Í S—ÞÅ& }!|@€€Gìê)Í (/5 ÞáÜ4d,Application ExperiencerunningAeLookupSvc/4(**805Àù)Í S—ÞÅ& ‹!|@€€Àù)Í (05 ÞáÜ4d0&Shell Hardware Detectionstopped&ShellHWDetection/18**15Ó¸?6*Í S—ÞÅ& m!|@€€Ó¸?6*Í @ 15 ÞáÜ4d&Software Protectionstoppedsppsvc/1**825´Ó¨P+Í ¼"_Ý5  @ +!€´Ó¨P+Í\ 25Microsoft-Windows-Kernel-General·¨Œ¦O¶×¦˜âÞ]System z <Õ58ð‚~P+Í2ÄW&+Í8**`35 «+Í S—ÞÅ& ±!|@€€ «+Í €35 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`**45Q©of.Í S—ÞÅ& e!|@€€Q©of.Í ø 45 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@55è'Ñf.Í S—ÞÅ& “!|@€€è'Ñf.Í ˜ 55 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**865ŽD .Í S—ÞÅ& !|@€€ŽD .Í ø 65 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**75IåÓ.Í S—ÞÅ& e!|@€€IåÓ.Í Ì 75 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**085 Ö.Í S—ÞÅ& !|@€€ Ö.Í Ì 85 ÞáÜ4d, Diagnostic System Hoststopped WdiSystemHost/10**@95ô?/Í S—ÞÅ& “!|@€€ô?/Í Ð95 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**X:5tBã0Í S—ÞÅ&  ¡!€@€€tBã0Í ø :5 cÒ3!2 Windows Modules Installerdemand startauto startTrustedInstallerX**X;5dJ!0Í S—ÞÅ&  ¡!€@€€dJ!0Í ø ;5 cÒ3!2 Windows Modules Installerauto startdemand startTrustedInstallerX**8<54ÎX!0Í S—ÞÅ& !|@€€4ÎX!0Í ø <5 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**x=5]oÀ;Í S—ÞÅ&  ¿!…@€€]oÀ;Í ü=5 YA¶&%>J$MnemosyneC:\Windows\system32\Mnemosyne_x64.syskernel mode driverdemand startx**(>5é 4À;Í S—ÞÅ& !|@€€é 4À;Í ü>5 ÞáÜ4d"(FResponse Servicerunning(FResponse Service/4(**?5‹„±çrÍ S—ÞÅ& e!|@€€‹„±çrÍ ´ ?5 ÞáÜ4d$ Volume Shadow Copyrunning VSS/4**@@5ÿ »çrÍ S—ÞÅ& “!|@€€ÿ »çrÍ ¸@5 ÞáÜ4dNMicrosoft Software Shadow Copy Providerrunningswprv/4@**A5ÐRSsÍ S—ÞÅ& e!|@€€ÐRSsÍ ¸A5 ÞáÜ4d$ Volume Shadow Copystopped VSS/1**@B5Ы[¾sÍ S—ÞÅ& “!|@€€Ð«[¾sÍ øB5 ÞáÜ4dNMicrosoft Software Shadow Copy Providerstoppedswprv/1@**`C5ü’:€Í S—ÞÅ& ±!|@€€ü’:€Í ôC5 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**8D5#çqÍ S—ÞÅ& !|@€€#çqÍ ôD5 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**XE5áW‰‚Í S—ÞÅ&  ¡!€@€€áW‰‚Í pE5 cÒ3!2 Windows Modules Installerdemand startauto startTrustedInstallerX**XF5}¢í‚Í S—ÞÅ&  ¡!€@€€}¢í‚Í pF5 cÒ3!2 Windows Modules Installerauto startdemand startTrustedInstallerX**8G5î9‘‚Í S—ÞÅ& !|@€€î9‘‚Í pG5 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`H5||SÝ‚Í S—ÞÅ& ±!|@€€||SÝ‚Í pH5 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`** I5¡I‚×Í rBøë. ñ!}€€¡I‚×ÍI5 FÓìt0N€7486160300 Eastern Standard Time€1.10Windows 7 Ultimate6.1.7601 Build 7601 Service Pack 1Multiprocessor Free7601.win7sp1_gdr.111118-23304cdad221Not AvailableNot Available912048409WKS-WIN764BITB.shieldbase.local **`J5 ¬Ë$Í S—ÞÅ& ±!|@€€ ¬Ë$Í p J5 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicerunning,WinHttpAutoProxySvc/4`**K5¨ïÉ™$Í S—ÞÅ& m!|@€€¨ïÉ™$Í Œ K5 ÞáÜ4d&Software Protectionrunningsppsvc/4**8L5\Ù$Í S—ÞÅ& !|@€€\Ù$Í p L5 ÞáÜ4d2&Windows Modules Installerrunning&TrustedInstaller/48**M5\¥N%Í S—ÞÅ& m!|@€€\¥N%Í ˜M5 ÞáÜ4d&Software Protectionstoppedsppsvc/1**XN5L·Á&Í S—ÞÅ&  ¡!€@€€L·Á&Í l N5 cÒ3!2 Windows Modules Installerdemand startauto startTrustedInstallerX**XO5ðëW&Í S—ÞÅ&  ¡!€@€€ðëW&Í l O5 cÒ3!2 Windows Modules Installerauto startdemand startTrustedInstallerX**8P5hÖ‚&Í S—ÞÅ& !|@€€hÖ‚&Í l P5 ÞáÜ4d2&Windows Modules Installerstopped&TrustedInstaller/18**`Q5 žãÝ&Í S—ÞÅ& ±!|@€€ žãÝ&Í Q5 ÞáÜ4dP,WinHTTP Web Proxy Auto-Discovery Servicestopped,WinHttpAutoProxySvc/1`python-evtx-0.7.4/tests/fixtures.py000066400000000000000000000036311402613732500174220ustar00rootroot00000000000000import os import mmap import os.path import contextlib import pytest def system_path(): ''' fetch the file system path of the system.evtx test file. Returns: str: the file system path of the test file. ''' cd = os.path.dirname(__file__) datadir = os.path.join(cd, 'data') systempath = os.path.join(datadir, 'system.evtx') return systempath @pytest.yield_fixture def system(): ''' yields the contents of the system.evtx test file. the returned value is a memory map of the contents, so it acts pretty much like a byte string. Returns: mmap.mmap: the contents of the test file. ''' p = system_path() with open(p, 'rb') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: yield buf def security_path(): ''' fetch the file system path of the security.evtx test file. Returns: str: the file system path of the test file. ''' cd = os.path.dirname(__file__) datadir = os.path.join(cd, 'data') secpath = os.path.join(datadir, 'security.evtx') return secpath @pytest.yield_fixture def security(): ''' yields the contents of the security.evtx test file. the returned value is a memory map of the contents, so it acts pretty much like a byte string. Returns: mmap.mmap: the contents of the test file. ''' p = security_path() with open(p, 'rb') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: yield buf @pytest.fixture def data_path(): ''' fetch the file system path of the directory containing test files. Returns: str: the file system path of the test directory. ''' cd = os.path.dirname(__file__) datadir = os.path.join(cd, 'data') return datadir python-evtx-0.7.4/tests/test_chunks.py000066400000000000000000000121201402613732500200740ustar00rootroot00000000000000from fixtures import * import Evtx.Evtx as evtx EMPTY_MAGIC = '\x00' * 0x8 def test_chunks(system): ''' regression test parsing some known fields in the file chunks. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) # collected empirically expecteds = [ {'start_file': 1, 'end_file': 153, 'start_log': 12049, 'end_log': 12201}, {'start_file': 154, 'end_file': 336, 'start_log': 12202, 'end_log': 12384}, {'start_file': 337, 'end_file': 526, 'start_log': 12385, 'end_log': 12574}, {'start_file': 527, 'end_file': 708, 'start_log': 12575, 'end_log': 12756}, {'start_file': 709, 'end_file': 882, 'start_log': 12757, 'end_log': 12930}, {'start_file': 883, 'end_file': 1059, 'start_log': 12931, 'end_log': 13107}, {'start_file': 1060, 'end_file': 1241, 'start_log': 13108, 'end_log': 13289}, {'start_file': 1242, 'end_file': 1424, 'start_log': 13290, 'end_log': 13472}, {'start_file': 1425, 'end_file': 1601, 'start_log': 13473, 'end_log': 13649}, ] for i, chunk in enumerate(fh.chunks()): # collected empirically if i < 9: assert chunk.check_magic() is True assert chunk.magic() == 'ElfChnk\x00' assert chunk.calculate_header_checksum() == chunk.header_checksum() assert chunk.calculate_data_checksum() == chunk.data_checksum() expected = expecteds[i] assert chunk.file_first_record_number() == expected['start_file'] assert chunk.file_last_record_number() == expected['end_file'] assert chunk.log_first_record_number() == expected['start_log'] assert chunk.log_last_record_number() == expected['end_log'] else: assert chunk.check_magic() is False assert chunk.magic() == EMPTY_MAGIC def test_chunks2(security): ''' regression test parsing some known fields in the file chunks. Args: security (bytes): the security.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(security, 0x0) # collected empirically expecteds = [ {'start_file': 1, 'end_file': 91, 'start_log': 1, 'end_log': 91}, {'start_file': 92, 'end_file': 177, 'start_log': 92, 'end_log': 177}, {'start_file': 178, 'end_file': 260, 'start_log': 178, 'end_log': 260}, {'start_file': 261, 'end_file': 349, 'start_log': 261, 'end_log': 349}, {'start_file': 350, 'end_file': 441, 'start_log': 350, 'end_log': 441}, {'start_file': 442, 'end_file': 530, 'start_log': 442, 'end_log': 530}, {'start_file': 531, 'end_file': 622, 'start_log': 531, 'end_log': 622}, {'start_file': 623, 'end_file': 711, 'start_log': 623, 'end_log': 711}, {'start_file': 712, 'end_file': 802, 'start_log': 712, 'end_log': 802}, {'start_file': 803, 'end_file': 888, 'start_log': 803, 'end_log': 888}, {'start_file': 889, 'end_file': 976, 'start_log': 889, 'end_log': 976}, {'start_file': 977, 'end_file': 1063, 'start_log': 977, 'end_log': 1063}, {'start_file': 1064, 'end_file': 1148, 'start_log': 1064, 'end_log': 1148}, {'start_file': 1149, 'end_file': 1239, 'start_log': 1149, 'end_log': 1239}, {'start_file': 1240, 'end_file': 1327, 'start_log': 1240, 'end_log': 1327}, {'start_file': 1328, 'end_file': 1414, 'start_log': 1328, 'end_log': 1414}, {'start_file': 1415, 'end_file': 1501, 'start_log': 1415, 'end_log': 1501}, {'start_file': 1502, 'end_file': 1587, 'start_log': 1502, 'end_log': 1587}, {'start_file': 1588, 'end_file': 1682, 'start_log': 1588, 'end_log': 1682}, {'start_file': 1683, 'end_file': 1766, 'start_log': 1683, 'end_log': 1766}, {'start_file': 1767, 'end_file': 1847, 'start_log': 1767, 'end_log': 1847}, {'start_file': 1848, 'end_file': 1942, 'start_log': 1848, 'end_log': 1942}, {'start_file': 1943, 'end_file': 2027, 'start_log': 1943, 'end_log': 2027}, {'start_file': 2028, 'end_file': 2109, 'start_log': 2028, 'end_log': 2109}, {'start_file': 2110, 'end_file': 2201, 'start_log': 2110, 'end_log': 2201}, {'start_file': 2202, 'end_file': 2261, 'start_log': 2202, 'end_log': 2261}, ] for i, chunk in enumerate(fh.chunks()): # collected empirically if i < 26: assert chunk.check_magic() is True assert chunk.magic() == 'ElfChnk\x00' assert chunk.calculate_header_checksum() == chunk.header_checksum() assert chunk.calculate_data_checksum() == chunk.data_checksum() expected = expecteds[i] assert chunk.file_first_record_number() == expected['start_file'] assert chunk.file_last_record_number() == expected['end_file'] assert chunk.log_first_record_number() == expected['start_log'] assert chunk.log_last_record_number() == expected['end_log'] else: assert chunk.check_magic() is False assert chunk.magic() == EMPTY_MAGIC python-evtx-0.7.4/tests/test_header.py000066400000000000000000000027451402613732500200450ustar00rootroot00000000000000from fixtures import * import Evtx.Evtx as evtx def test_file_header(system): ''' regression test parsing some known fields in the file header. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) # collected empirically assert fh.magic() == 'ElfFile\x00' assert fh.major_version() == 0x3 assert fh.minor_version() == 0x1 assert fh.flags() == 0x1 assert fh.is_dirty() is True assert fh.is_full() is False assert fh.current_chunk_number() == 0x8 assert fh.chunk_count() == 0x9 assert fh.oldest_chunk() == 0x0 assert fh.next_record_number() == 0x34d8 assert fh.checksum() == 0x41b4b1ec assert fh.calculate_checksum() == fh.checksum() def test_file_header2(security): ''' regression test parsing some known fields in the file header. Args: security (bytes): the security.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(security, 0x0) # collected empirically assert fh.magic() == 'ElfFile\x00' assert fh.major_version() == 0x3 assert fh.minor_version() == 0x1 assert fh.flags() == 0x1 assert fh.is_dirty() is True assert fh.is_full() is False assert fh.current_chunk_number() == 0x19 assert fh.chunk_count() == 0x1a assert fh.oldest_chunk() == 0x0 assert fh.next_record_number() == 0x8b2 assert fh.checksum() == 0x3f6e33d5 assert fh.calculate_checksum() == fh.checksum() python-evtx-0.7.4/tests/test_issue_37.py000066400000000000000000000035451402613732500202550ustar00rootroot00000000000000import os import pytest import Evtx.Evtx as evtx from fixtures import * def test_corrupt_ascii_example(data_path): ''' regression test demonstrating issue 37. Args: data_path (str): the file system path of the test directory. ''' # record number two contains a QNAME xml element # with an ASCII text value that is invalid ASCII: # # 000002E0: 31 39 33 2E 31 2E 193.1. # 000002F0: 33 36 2E 31 32 31 30 2E 39 2E 31 35 2E 32 30 32 36.1210.9.15.202 # 00000300: 01 62 2E 5F 64 6E 73 2D 73 64 2E 5F 75 64 70 2E .b._dns-sd._udp. # 00000310: 40 A6 35 01 2E @.5.. # ^^ ^^ ^^ # with pytest.raises(UnicodeDecodeError): with evtx.Evtx(os.path.join(data_path, 'dns_log_malformed.evtx')) as log: for chunk in log.chunks(): for record in chunk.records(): assert record.xml() is not None def test_continue_parsing_after_corrupt_ascii(data_path): ''' regression test demonstrating issue 37. Args: data_path (str): the file system path of the test directory. ''' attempted = 0 completed = 0 failed = 0 with evtx.Evtx(os.path.join(data_path, 'dns_log_malformed.evtx')) as log: for chunk in log.chunks(): for record in chunk.records(): try: attempted += 1 assert record.xml() is not None completed += 1 except UnicodeDecodeError: failed += 1 # this small log file has exactly five records. assert attempted == 5 # the first record is valid. assert completed == 1 # however the remaining four have corrupted ASCII strings, # which we are unable to decode. assert failed == 4 python-evtx-0.7.4/tests/test_issue_38.py000066400000000000000000000017751402613732500202610ustar00rootroot00000000000000import os import pytest import Evtx.Evtx as evtx from fixtures import * def one(iterable): ''' fetch a single element from the given iterable. Args: iterable (iterable): a sequence of things. Returns: object: the first thing in the sequence. ''' for i in iterable: return i def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"): return node.find("%s%s" % (ns, tag)) def test_hex64_value(data_path): ''' regression test demonstrating issue 38. Args: data_path (str): the file system path of the test directory. ''' with evtx.Evtx(os.path.join(data_path, 'issue_38.evtx')) as log: for chunk in log.chunks(): record = one(chunk.records()) event_data = get_child(record.lxml(), 'EventData') for data in event_data: if data.get('Name') != 'SubjectLogonId': continue assert data.text == '0x000000000019d3af' python-evtx-0.7.4/tests/test_issue_39.py000066400000000000000000000021661402613732500202550ustar00rootroot00000000000000import os import pytest import Evtx.Evtx as evtx from fixtures import * def one(iterable): ''' fetch a single element from the given iterable. Args: iterable (iterable): a sequence of things. Returns: object: the first thing in the sequence. ''' for i in iterable: return i def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"): return node.find("%s%s" % (ns, tag)) def get_children(node, tags, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"): for tag in tags: node = get_child(node, tag, ns=ns) return node def test_systemtime(data_path): ''' regression test demonstrating issue 39. Args: data_path (str): the file system path of the test directory. ''' with evtx.Evtx(os.path.join(data_path, 'issue_39.evtx')) as log: for record in log.records(): if record.record_num() != 129: continue time_created = get_children(record.lxml(), ['System', 'TimeCreated']) assert time_created.get('SystemTime') == '2017-04-21 07:41:17.003393' python-evtx-0.7.4/tests/test_issue_43.py000066400000000000000000000011501402613732500202400ustar00rootroot00000000000000import os import pytest import Evtx.Evtx as evtx from fixtures import * def get_record_by_num(log, record_num): for record in log.records(): if record.record_num() == record_num: return record raise KeyError(record_num) def test_issue_43(data_path): ''' regression test demonstrating issue 43. Args: data_path (str): the file system path of the test directory. ''' with evtx.Evtx(os.path.join(data_path, 'issue_43.evtx')) as log: bad_rec = get_record_by_num(log, 508) with pytest.raises(UnicodeDecodeError): _ = bad_rec.xml() python-evtx-0.7.4/tests/test_records.py000066400000000000000000000320361402613732500202520ustar00rootroot00000000000000import textwrap import pytest import Evtx.Evtx as evtx import Evtx.Nodes as e_nodes from fixtures import * try: import lxml no_lxml = False except: no_lxml = True def test_parse_records(system): ''' regression test demonstrating that all record metadata can be parsed. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) for i, chunk in enumerate(fh.chunks()): for j, record in enumerate(chunk.records()): assert record.magic() == 0x2a2a def test_parse_records2(security): ''' regression test demonstrating that all record metadata can be parsed. Args: security (bytes): the security.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(security, 0x0) for i, chunk in enumerate(fh.chunks()): for j, record in enumerate(chunk.records()): assert record.magic() == 0x2a2a def one(iterable): ''' fetch a single element from the given iterable. Args: iterable (iterable): a sequence of things. Returns: object: the first thing in the sequence. ''' for i in iterable: return i def extract_structure(node): ''' given an evtx bxml node, generate a tree of all the nodes. each node has: - str: node type - str: (optional) value - list: (optional) children Args: node (evtx.Node): the root node. Returns: list: the tree representing the bxml structure. ''' name = node.__class__.__name__ if isinstance(node, e_nodes.BXmlTypeNode): # must go before is VariantTypeNode value = None elif isinstance(node, e_nodes.VariantTypeNode): value = node.string() elif isinstance(node, e_nodes.OpenStartElementNode): value = node.tag_name() elif isinstance(node, e_nodes.AttributeNode): value = node.attribute_name().string() else: value = None children = [] if isinstance(node, e_nodes.BXmlTypeNode): children.append(extract_structure(node._root)) elif isinstance(node, e_nodes.TemplateInstanceNode) and node.is_resident_template(): children.append(extract_structure(node.template())) children.extend(list(map(extract_structure, node.children()))) if isinstance(node, e_nodes.RootNode): substitutions = list(map(extract_structure, node.substitutions())) children.append(['Substitutions', None, substitutions]) if children: return [name, value, children] elif value: return [name, value] else: return [name] def test_parse_record(system): ''' regression test demonstrating binary xml nodes getting parsed. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) chunk = one(fh.chunks()) record = one(chunk.records()) # generated by hand, but matches the output of extract_structure. expected = \ ['RootNode', None, [ ['StreamStartNode'], ['TemplateInstanceNode', None, [ ['TemplateNode', None, [ ['StreamStartNode'], ['OpenStartElementNode', 'Event', [ ['AttributeNode', 'xmlns', [ ['ValueNode', None, [ ['WstringTypeNode', 'http://schemas.microsoft.com/win/2004/08/events/event']]]]], ['CloseStartElementNode'], ['OpenStartElementNode', 'System', [ ['CloseStartElementNode'], ['OpenStartElementNode', 'Provider', [ ['AttributeNode', 'Name', [ ['ValueNode', None, [ ['WstringTypeNode', 'Microsoft-Windows-Eventlog']]]]], ['AttributeNode', 'Guid', [ ['ValueNode', None, [ ['WstringTypeNode', '{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}']]]]], ['CloseEmptyElementNode']]], ['OpenStartElementNode', 'EventID', [ ['AttributeNode', 'Qualifiers', [ ['ConditionalSubstitutionNode']]], ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'Version', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'Level', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'Task', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'Opcode', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'Keywords', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'TimeCreated', [ ['AttributeNode', 'SystemTime', [ ['ConditionalSubstitutionNode']]], ['CloseEmptyElementNode']]], ['OpenStartElementNode', 'EventRecordID', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'Correlation', [ ['AttributeNode', 'ActivityID', [ ['ConditionalSubstitutionNode']]], ['AttributeNode', 'RelatedActivityID', [ ['ConditionalSubstitutionNode']]], ['CloseEmptyElementNode']]], ['OpenStartElementNode', 'Execution', [ ['AttributeNode', 'ProcessID', [ ['ConditionalSubstitutionNode']]], ['AttributeNode', 'ThreadID', [ ['ConditionalSubstitutionNode']]], ['CloseEmptyElementNode']]], ['OpenStartElementNode', 'Channel', [ ['CloseStartElementNode'], ['ValueNode', None, [ ['WstringTypeNode', 'System']]], ['CloseElementNode']]], ['OpenStartElementNode', 'Computer', [ ['CloseStartElementNode'], ['ValueNode', None, [ ['WstringTypeNode', 'WKS-WIN764BITB.shieldbase.local']]], ['CloseElementNode']]], ['OpenStartElementNode', 'Security', [ ['AttributeNode', 'UserID', [ ['ConditionalSubstitutionNode']]], ['CloseEmptyElementNode']]], ['CloseElementNode']]], ['OpenStartElementNode', 'UserData', [ ['CloseStartElementNode'], ['ConditionalSubstitutionNode'], ['CloseElementNode']]], ['CloseElementNode']]], ['EndOfStreamNode']]]]], ['Substitutions', None, [ ['UnsignedByteTypeNode', '4'], ['UnsignedByteTypeNode', '0'], ['UnsignedWordTypeNode', '105'], ['UnsignedWordTypeNode', '105'], ['NullTypeNode'], ['Hex64TypeNode', '0x8000000000000000'], ['FiletimeTypeNode', '2012-03-14 04:17:43.354563'], ['NullTypeNode'], ['UnsignedDwordTypeNode', '820'], ['UnsignedDwordTypeNode', '2868'], ['UnsignedQwordTypeNode', '12049'], ['UnsignedByteTypeNode', '0'], ['NullTypeNode'], ['NullTypeNode'], ['NullTypeNode'], ['NullTypeNode'], ['NullTypeNode'], ['NullTypeNode'], ['NullTypeNode'], ['BXmlTypeNode', None, [ ['RootNode', None, [ ['StreamStartNode'], ['TemplateInstanceNode', None, [ ['TemplateNode', None, [ ['StreamStartNode'], ['OpenStartElementNode', 'AutoBackup', [ ['AttributeNode', 'xmlns:auto-ns3', [ ['ValueNode', None, [ ['WstringTypeNode', 'http://schemas.microsoft.com/win/2004/08/events']]]]], ['AttributeNode', 'xmlns', [ ['ValueNode', None, [ ['WstringTypeNode', 'http://manifests.microsoft.com/win/2004/08/windows/eventlog']]]]], ['CloseStartElementNode'], ['OpenStartElementNode', 'Channel', [ ['CloseStartElementNode'], ['NormalSubstitutionNode'], ['CloseElementNode']]], ['OpenStartElementNode', 'BackupPath', [ ['CloseStartElementNode'], ['NormalSubstitutionNode'], ['CloseElementNode']]], ['CloseElementNode']]], ['EndOfStreamNode']]]]], ['Substitutions', None, [ ['WstringTypeNode', 'System'], ['WstringTypeNode', 'C:\Windows\System32\Winevt\Logs\Archive-System-2012-03-14-04-17-39-932.evtx']]]]]]]]]]] assert extract_structure(record.root()) == expected def test_render_record(system): ''' regression test demonstrating formatting a record to xml. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) chunk = one(fh.chunks()) record = one(chunk.records()) xml = record.xml() assert xml == textwrap.dedent('''\ 105 0 4 105 0 0x8000000000000000 12049 System WKS-WIN764BITB.shieldbase.local System C:\\Windows\\System32\\Winevt\\Logs\\Archive-System-2012-03-14-04-17-39-932.evtx ''') def test_render_records(system): ''' regression test demonstrating formatting records to xml. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) for chunk in fh.chunks(): for record in chunk.records(): assert record.xml() is not None def test_render_records2(security): ''' regression test demonstrating formatting records to xml. Args: security (bytes): the security.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(security, 0x0) for chunk in fh.chunks(): for record in chunk.records(): assert record.xml() is not None @pytest.mark.skipif(no_lxml, reason='lxml not installed') def test_render_records_lxml(system): ''' regression test demonstrating formatting records to xml. Args: system (bytes): the system.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(system, 0x0) for i, chunk in enumerate(fh.chunks()): for j, record in enumerate(chunk.records()): assert record.lxml() is not None @pytest.mark.skipif(no_lxml, reason='lxml not installed') def test_render_records_lxml2(security): ''' regression test demonstrating formatting records to xml. Args: security (bytes): the security.evtx test file contents. pytest fixture. ''' fh = evtx.FileHeader(security, 0x0) for i, chunk in enumerate(fh.chunks()): for j, record in enumerate(chunk.records()): assert record.lxml() is not None