ElfFilejElfChnkȰn**:  M& Mŕ0tޡ'{AoM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemA2{ProviderF=KNameService Control ManagerF)Guid&{555908d1-a6d7-4695-8e1e-26931d2012f4}`EventSourceNameService Control ManagerAMSaEventID't) Qualifiers " Version dLevelE{Task Opcode$?jKeywordsAPj; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\F ActivityIDFS5RelatedActivityIDAm ExecutionHF ProcessID9ThreadID .aChannelSystemB+j;nComputerWIN-3PIMCL4OH3LABt.SecurityfLUserID ! Z!|@: 4D4v*M^pkD EventDataA5oData=param1 A#=param2  !Binary DWindows Management Instrumentationck(WЏLWinmgmt/4e**;.  M& W!|@.; 4DIP Helperck(WЏLiphlpsvc/4v**@<6  M& !|@6< 4DRWindows Remote Management (WS-Management)ck(WЏLWinRM/4 Z&@**=:  M& Y!|@:= 4D Serverck(WЏLLanmanServer/4 **(>:  M& y!r:> N& N&@F&*N<0kA#=param1  cdromame(**X?MD  M&  !@MD? U6 U6ڕ ,kA#=param1 A#=param2 A#=param3 A#=param4 A#=param5    Windows Time\Pbk0x40030011d\O|~: Q~ޏc (RQ)eW32TimesX**@  M& W!|@@ 4DWindows Time\PbkW32Time/1P**8A  M& !|@A 4DDPortable Device Enumerator Serviceck(WЏLWPDBusEnum/4Pn8**BK]  M& i!|@K]B 4D(Device Setup Managerck(WЏLDsmSvc/4**CI  M& g!|@IXC 4DApp Readinessck(WЏLAppReadiness/4\**(D  M& !|@xD 4D<Human Interface Device Serviceck(WЏLhidserv/4s(**E ioiozZgAMsj5http://schemas.microsoft.com/win/2004/08/events/eventbAF=AS t      ?Aj   AFF AF  (+WIN-3PIMCL4OH3LAt  !  @ !LEMicrosoft-Windows-Kernel-GeneralOצ]System wDwӓMuWkA%=NewTime A%=OldTime A#=Reason dow**8FC io  2 =!C FMicrosoft-Windows-TPM-WMIS}M fSystem &&| p)ckFC8**G}  M& c!|@}xG 4D"CNG Key Isolationck(WЏLKeyIso/4en**H  io  2 !  HMicrosoft-Windows-TPM-WMIS}M fSystem &ana**I  io  4 !MY IIg2QYH678%IMicrosoft-Windows-Winlogon|1C̣8System LChKLChymֻ dXkA=TSId A%=UserSid J-N***JR io  @ !R JMicrosoft-Windows-Kernel-GeneralOצ]System ܡ^ ܡ^KNkA3%=HiveNameLength A'=HiveName A-= KeysUpdated A+= DirtyPages Z-\??\C:\Windows\AppCompat\Programs\Amcache.hve$** KR  M& w!|@RxK 4D,Application Experienceck(WЏLAeLookupSvc/4 **0Lm(  M& !|@m(XL 4D2&Windows Modules Installerck(WЏL&TrustedInstaller/40 fA   System(FWIN-00972SSK532A  ! !x F%F%g>9{p(4(; c ,,Intel(R) I350 CSFQQ~ޏc,0t0**0w xt" !wt F%2,Intel(R) I350 CSFQQ~ޏc #2,0ws-N0**.  I*f&'I*fE̱*$cֻAMsj5http://schemas.microsoft.com/win/2004/08/events/event'A:1=Virtual Disk ServiceAz    fA   System(FWIN-00972SSK532A  ! 5!B.  F%@2010001**.  (>:)(>:5g^M$`HAMsj5http://schemas.microsoft.com/win/2004/08/events/eventA"=EventLogAz    fA   System(FWIN-00972SSK532A  ! +!v.  F%t**_  Z O!|@_ 4 Virtual Disk\Pbk vds/1**_  ^-& \Dכ|AMsj5http://schemas.microsoft.com/win/2004/08/events/eventbAF=XAz      ? fA   AFFm AF  (FWIN-00972SSK532A  !  . !  _fBMicrosoft-Windows-Setup>uI]System L1Q0L1fM6A;A/c!= Host OS Name ACc5=Install was an upgrade  ACc5=Host OS was Windows PE  AAc3=Host OS major version AAc3=Host OS minor version AAc3=Host OS build version AIc;=Host OS service pack Name A[cM="Host OS service pack major version A[cM="Host OS service pack minor version  V  Windows (TM) 8 Preinstallation Environment#****_  ^-  . ! _fBMicrosoft-Windows-Setup>uI]System ^\4^-^\Y3$;A%c=OS Name A/c!= OS EditionID A7c)=OS major version A7c)=OS minor version A7c)=OS build version A?c1=OS service pack Name AQcC=OS service pack major version AQcC=OS service pack minor version @Windows Server 2012 R2 StandardServerStandard#m **c zL7zLauc+oAcMsj5http://schemas.microsoft.com/win/2004/08/events/eventAF=User32FX&{b0aa8734-56f7-41cc-b2f4-de228e98b946}User32Az      ? fA   AFFmAF System(FWIN-00972SSK532A  !  ]!2c Ńh;Ńh>8 Cz8,;A#c=param1 A#c=param2 A#c=param3 A#c=param4 A#c=param5 A#c=param6 A#c=param7 d&C:\Windows\system32\winlogon.exe (WIN-00972SSK532)WIN-3PIMCL4OH3Ld\O|~: GS~(RQ)0x80020003͑e/TRNT AUTHORITY\SYSTEM**c  Z a!|@c 4&Group Policy Client\Pbkgpsvc/1oces**zv  Z e!|@zv 4(Device Setup Manager\PbkDsmSvc/1V **zv  Z [!|@zv 4Plug and Play\PbkPlugPlay/1**zv  Z m!|@zv 4,Cryptographic Services\PbkCryptSvc/1**(zv  Z }!|@zv 4@Distributed Link Tracking Client\PbkTrkWks/1we(** zv  Z w!|@zv  4, Device Install Service\Pbk DeviceInstall/1K **zv  Z g!|@zv  4(User Profile Service\PbkProfSvc/1**0zv  Z !|@zv  4DWindows Management Instrumentation\PbkWinmgmt/10**zv  ^-  > o!?g zvѴ6cZB(Microsoft-Windows-DHCPv6-Client+jj8L\;gxSystem JA-;G;JA-un$ke [hg#@4;A'c=DwordVal  **0zv  ^-  : !Eu zvѴ6cZB(Microsoft-Windows-Dhcp-ClientrNMfjSystem JA-;G0** zv  Z w!|@zv 44Windows Font Cache Service\PbkFontCache/1 **zv  Z O!|@zv  4DHCP Client\PbkDhcp/1K**zv  Z c!|@zv  4&Software Protection\Pbksppsvc/1(**Vy  M&L Mŕ0tޡ'AMsj5http://schemas.microsoft.com/win/2004/08/events/eventAF=Service Control ManagerFX&{555908d1-a6d7-4695-8e1e-26931d2012f4}Service Control ManagerAz      ? fA   AFFmAF System(FWIN-3PIMCL4OH3LA  ! c!|@Vy  4"Windows Event Log\PbkEventLog/1**Vy  M&L ]!|@Vy  4Task Scheduler\PbkSchedule/1**   M&L q!|@  44Windows Connection Manager\PbkWcmsvc/1No)H **8  M&L !|@  4RWindows Remote Management (WS-Management)\PbkWinRM/1-W8** S^S%S|̾gW\=@AMsj5http://schemas.microsoft.com/win/2004/08/events/eventA"=EventLogAz    fA   System(FWIN-3PIMCL4OH3LA  ! o!y F%L6.03.9600Multiprocessor Free16384s-K** S^S ;!u F% $x**` S^S !} F%,d1560-480 -NVhQed1.10Windows Server 2012 R2 Standard6.3.9600 Build 9600 Multiprocessor Free9600.winblue_gdr.130913-21415b45b2f1Not AvailableNot Available93265415804WIN-3PIMCL4OH3LnQ`**(U io~YiozZgAMsj5http://schemas.microsoft.com/win/2004/08/events/eventbAF=XAz      ? fA   AFFm AF  (FWIN-3PIMCL4OH3LA  ! <  !gmUPl~Microsoft-Windows-Kernel-Power:;3 D^w" 7ִSystem ns\&'n {pe E;A;c-=ShutdownActionType A9c+=ShutdownEventCode A3c%=ShutdownReason (**bh io~Y @ s! bhi~ DMicrosoft-Windows-Kernel-GeneralOצ]System  %^ %C+Wi4@4;A'c=StopTime bh** io~Y  @ ! i~ Microsoft-Windows-Kernel-GeneralOצ]System /w`/wmUWF~r;A/c!= MajorVersion A/c!= MinorVersion A/c!= BuildVersion A+c= QfeVersion A3c%=ServiceVersion A'c=BootMode A)c= StartTime %@[ ** io~Y  : !~j~Microsoft-Windows-Kernel-BootDzMK ^SSystem җ)cҗ)藭C9Diz;A7c)=LastShutdownGood A/c!= LastBootGood    ** io~Y  : o!~j~Microsoft-Windows-Kernel-BootDzMK ^SSystem Td~YT;hX<͚8J@4;A'c=BootType l-Pr** io~Y  : s!~j~Microsoft-Windows-Kernel-BootDzMK ^SSystem ngfneO@3D8;A+c= EntryCount es** io~Y  : ! ~j~Microsoft-Windows-Kernel-BootDzMK ^SSystem v gv ?M(\P;ACc5=BitlockerUserInputTime  ** io~Y  : !~j~Microsoft-Windows-Kernel-BootDzMK ^SSystem qi4qw#i6ߥFVJ;A1c#= ResetEndStart A7c)=LoadOSImageStart  A9c+=StartOSImageStart  AAc3=ExitBootServicesEntry  A?c1=ExitBootServicesExit       Ym **07 io~Y  , )!b7@lMicrosoft-Windows-Ntfsz?nMĂSystem (Yl(حh@9 2;A)c= DriveName A+c= DeviceName AAc3=CorruptionActionState 0C:\Device\HarddiskVolume2so0** io~Y  > !Microsoft-Windows-FilterManagercIİSystem w7nw7->vSZGsl`;A-c= FinalStatus A;c-=DeviceVersionMajor A;c-=DeviceVersionMinor A7c)=DeviceNameLength A+c= DeviceName A+c= DeviceTime  npsvctrig)os-K**& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qgftŸ9rIIdX;A!c=Group A#c=Number **& io~Y  P !/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/sewykǟT3B- XL;A!c=Group A#c=Number A3c%=IdleStateCount A;c-=IdleImplementation A7c)=NominalFrequency AIc;=MaximumPerformancePercent AIc;=MinimumPerformancePercent ACc5=MinimumThrottlePercent AIc;=PerformanceImplementation  5d99-K**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qf8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99icp**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q!8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99 p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q nQ8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s  5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q 8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s  5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99Vop**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qV8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qug8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q 8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s  5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q **8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s  5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q 8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s  5d99 p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q>8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99@p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99fp**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qi8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99tip**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ql8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99op**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qHa8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99**p**8& io~Y  P !"&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qM8**p& io~Y  P V!/7&tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qu8**p io~Y  P V!/7tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99gep**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qs-8**p io~Y  P V!/7tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99emp**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p io~Y  P V!/7tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p io~Y  P V!/7tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99twp**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qox8**p io~Y  P V!/7tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99Clp**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System qti8**p io~Y  P V!/7tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8 io~Y  P !"tMicrosoft-Windows-Kernel-Processor-PowergQNo)H`'System q!8**p  io~Y  P V!/7t Microsoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99 Mp**8  io~Y  P !"t Microsoft-Windows-Kernel-Processor-PowergQNo)H`'System qA8**p  io~Y  P V!/7t Microsoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**8  io~Y  P !"t Microsoft-Windows-Kernel-Processor-PowergQNo)H`'System q8**p  io~Y  P V!/7t Microsoft-Windows-Kernel-Processor-PowergQNo)H`'System ew/s 5d99p**" io~Y  , !b"lMicrosoft-Windows-Ntfsz?nMĂSystem (Yl`.\\?\Volume{bb251ca8-84dc-11e8-80b3-806e6f6e6963}\Device\HarddiskVolume1st**Y  M&L _!|@Y 4Plug and Playck(WЏLPlugPlay/4**Jc  M&L I!|@Jc 4 Powerck(WЏLPower/4wA**06o  M&L !|@6o 48DCOM Server Process Launcherck(WЏLDcomLaunch/4&0000** \r  M&L s!|@\r 4&RPC Endpoint Mapperck(WЏLRpcEptMapper/4" ** t v  M&L u!|@t v 46Remote Procedure Call (RPC)ck(WЏLRpcSs/4e **2}  M&L e!|@2} 4* Local Session Managerck(WЏL LSM/4v**  M&L g!|@ 4&Software Protectionck(WЏLsppsvc/4**0  M&L !|@ 4(*System Events Brokerck(WЏL*SystemEventsBroker/40**(  M&L {!|@ 4, Device Install Serviceck(WЏL DeviceInstall/4RS\(**v kck3iZ _:uAMsj5http://schemas.microsoft.com/win/2004/08/events/eventA&= e1iexpressAz    fA   System(FWIN-3PIMCL4OH3LA  ! !vp F%2,Intel(R) I350 CSFQQ~ޏc #2,0**(a k {!ap F%,,Intel(R) I350 CSFQQ~ޏc,0sys(** F  M&L q!|@F 4,Cryptographic Servicesck(WЏLCryptSvc/4s-Us **D9  M&L [!|@D9 4Windows Timeck(WЏLW32Time/4ILE**D9  M&L g!|@D9 4"Windows Event Logck(WЏLEventLog/4**(t >  M&L y!|@t >| 4> Network Store Interface Serviceck(WЏL nsi/4**(**@k@ io~Y  : =!Dt k@(XMicrosoft-Windows-Dhcp-ClientrNMfjSystem &Q &| p)c;nf@**0E io~Y  > !>f 0E(hMicrosoft-Windows-DHCPv6-Client+jj8L\;gxSystem &Q** 0E  M&L S!|@0E|  4DHCP Clientck(WЏLDhcp/4=** !j_  M&L u!|@j_! 44Network Location Awarenessck(WЏLNlaSvc/4I\ **X"Vk  M&L !|@Vk" 4N.Background Tasks Infrastructure Serviceck(WЏL.BrokerInfrastructure/44X**#p  M&L m!|@p# 4(Network List Serviceck(WЏLnetprofm/4F6**P$ry io~Y  > K!ryp$Microsoft-Windows-FilterManagercIİSystem w7n luafvL4Uo1P**%ˀ  M&L M!|@ˀ% 4 Themesck(WЏLThemes/460**&-  M&L k!|@-& 4(User Profile Serviceck(WЏLProfSvc/4dow**'-  M&L e!|@-' 4&Group Policy Clientck(WЏLgpsvc/4d**(  M&L m!|@( 4"COM+ Event Systemck(WЏLEventSystem/4**()  M&L !|@) 4BSystem Event Notification Serviceck(WЏLSENS/4(** * |  M&L u!|@ |* 44Windows Connection Managerck(WЏLWcmsvc/4te **+ |  M&L m!|@ |+ 4*TCP/IP NetBIOS Helperck(WЏLlmhosts/4**,hޓ  M&L Y!|@hޓ, 4DNS Clientck(WЏLDnscache/4Micr**-@ io~Y  < !@-Microsoft-Windows-Time-ServiceSNʦSystem ں+ںԙrogYA;G=TMP_EVENT_MANUAL_PEER_DNS_ERRORA/c!= ErrorMessage A/c!= RetryMinutes A+c= DomainPeer ,( NwSُ7hv;N:g0 (0x80072AF9)time.windows.com,0x9**0."  M&L !|@". 40&Shell Hardware Detectionck(WЏL&ShellHWDetection/4(0**/,  M&L a!|@,/ 4Task Schedulerck(WЏLSchedule/4+**(0  M&L {!|@|0 44Windows Font Cache Serviceck(WЏLFontCache/44(**1  u> u:pLAAMsj5http://schemas.microsoft.com/win/2004/08/events/eventAF=Microsoft-Windows-WinRMFX&{A7975C8F-AC13-49F1-87DA-5A984A4AB417}WinRMAz      ? fA   AFFmAF System(FWIN-3PIMCL4OH3LA  ! l!'1 Bs pBs =z>UAA5;+=Started Listening**2  M&L e!|@|2 4* Base Filtering Engineck(WЏL BFE/4**3)  M&L a!|@)|3 4 Windows Firewallck(WЏLMpsSvc/49 **4G  M&L m!|@G|4 4(Workstationck(WЏL(LanmanWorkstation/4(L** 5G  M&L q!|@G|5 42Security Accounts Managerck(WЏLSamSs/4ervi **6(  M&L ]!|@(6 4Print Spoolerck(WЏLSpooler/4**7  M&L o!|@7 4"Remote Registryck(WЏL"RemoteRegistry/4**X8v   M&L !|@v 8 4P,WinHTTP Web Proxy Auto-Discovery Serviceck(WЏL,WinHttpAutoProxySvc/4X**09/  M&L !|@/9 4@Distributed Link Tracking Clientck(WЏLTrkWks/404e00e580a1\kdnic.inf