ElfFile !XElfChnk__@ ԝ> =f?mMF &**h_I$[ io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8PU!nqm I$["d;d_J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c.">D EventDatah**`I$[ io& 8PG!mm I$["d;d`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c 1cᆫ}Q4?A_>A1 oData=Name A! =AppID A! =Flags ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat &ΰ**aݫ$[ io& 8P!mm ݫ$["d;daJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**bݫ$[ io& 8P?!mm ݫ$["d;dbJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowserMic**xcݫ$[ io& 8P!nrm ݫ$["d;dcJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**dݫ$[ io& 8Pk!mm ݫ$["d;ddJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}>A1 #= ItemsExisting A+ = ItemsAdded A/ != ItemsRemoved A/ != ItemsUpdated A- = ItemsCached ii**xe20[ io& 8P!nqm 20["d;/eJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**f20[ io& 8P!mm 20["d;/fJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**g[ io& 8P!mm ["d;/gJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**h[ io& 8P?!mm ["d;/hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xi[ io& 8P!nrm ["d;/iJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**j[ io& 8P7!mm ["d;/jJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xkbH:[ io& 8P!nqm bH:["d;PkJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**lbH:[ io& 8P!mm bH:["d;PlJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**m K:[ io& 8P!mm K:["d;PmJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**n K:[ io& 8P?!mm K:["d;PnJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser y**xo K:[ io& 8P!nrm K:["d;PoJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**p K:[ io& 8P7!mm K:["d;PpJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xq/$uY[ io& 8P!nqm /$uY["d;QqJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**r/$uY[ io& 8P!mm /$uY["d;QrJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**s&uY[ io& 8P!mm &uY["d;QsJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**t&uY[ io& 8P?!mm &uY["d;QtJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xu&uY[ io& 8P!nrm &uY["d;QuJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**v&uY[ io& 8P7!mm &uY["d;QvJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xwʧ:Y[ io& 8P!nqm ʧ:Y["d;dOwJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**xʧ:Y[ io& 8P!mm ʧ:Y["d;dOxJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**y+ =Y[ io& 8P!mm + =Y["d;dOyJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**z+ =Y[ io& 8P?!mm + =Y["d;dOzJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser "**x{+ =Y[ io& 8P!nrm + =Y["d;dO{J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**|+ =Y[ io& 8P7!mm + =Y["d;dO|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x}kY[ io& 8P!nqm kY["d;8}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**~kY[ io& 8P!mm kY["d;8~J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**7\[ io& 8P!mm 7\["d;8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**7\[ io& 8P?!mm 7\["d;8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser ڨ**x7\[ io& 8P!nrm 7\["d;8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**7\[ io& 8P7!mm 7\["d;8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xz\ io& 8P!nqm z\"d;8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**z\ io& 8P!mm z\"d;8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**ܔ\ io& 8P!mm ܔ\"d;8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**ܔ\ io& 8P?!mm ܔ\"d;8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser ;g**xܔ\ io& 8P!nrm ܔ\"d;8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**ܔ\ io& 8P7!mm ܔ\"d;8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x~"\ io& 8P!nqm ~"\"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**~"\ io& 8P!mm ~"\"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**j"\ io& 8P!mm j"\"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**j"\ io& 8P?!mm j"\"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser nT**xj"\ io& 8P!nrm j"\"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**j"\ io& 8P7!mm j"\"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xaٍ\ io& 8P!nqm aٍ\"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**aٍ\ io& 8P!mm aٍ\"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**ۍ\ io& 8P!mm ۍ\"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**ۍ\ io& 8P?!mm ۍ\"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xۍ\ io& 8P!nrm ۍ\"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**ۍ\ io& 8P7!mm ۍ\"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xW?\ io& 8P!nqm W?\"d;;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**W?\ io& 8P!mm W?\"d;;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**|?\ io& 8P!mm |?\"d;;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**|?\ io& 8P?!mm |?\"d;;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser Ө**x|?\ io& 8P!nrm |?\"d;;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**|?\ io& 8P7!mm |?\"d;;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xp(=\ io& 8P!nqm p(=\"d;"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**p(=\ io& 8P!mm p(=\"d;"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**@+=\ io& 8P!mm @+=\"d;"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**@+=\ io& 8P?!mm @+=\"d;"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser |**x@+=\ io& 8P!nrm @+=\"d;"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**@+=\ io& 8P7!mm @+=\"d;"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xz&\ io& 8P!nqm z&\"d;@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**z&\ io& 8P!mm z&\"d;@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**(\ io& 8P!mm (\"d;@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**(\ io& 8P?!mm (\"d;@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser G**x(\ io& 8P!nrm (\"d;@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**(\ io& 8P7!mm (\"d;@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xUp[] io& 8P!nqm Up[]"d;4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Up[] io& 8P!mm Up[]"d;4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**Mr[] io& 8P!mm Mr[]"d;4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Mr[] io& 8P?!mm Mr[]"d;4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser K**xMr[] io& 8P!nrm Mr[]"d;4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Mr[] io& 8P7!mm Mr[]"d;4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xe~z] io& 8P!nqm e~z]"d;RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**e~z] io& 8P!mm e~z]"d;RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**L1h~z] io& 8P!mm L1h~z]"d;RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**L1h~z] io& 8P?!mm L1h~z]"d;RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser Y**xL1h~z] io& 8P!nrm L1h~z]"d;RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**L1h~z] io& 8P7!mm L1h~z]"d;RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x9q] io& 8P!nqm 9q]"d;X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**9q] io& 8P!mm 9q]"d;X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**q] io& 8P!mm q]"d;X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**q] io& 8P?!mm q]"d;X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xq] io& 8P!nrm q]"d;X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**q] io& 8P7!mm q]"d;X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x0] io& 8P!nqm 0]"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**0] io& 8P!mm 0]"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**fa0] io& 8P!mm fa0]"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**fa0] io& 8P?!mm fa0]"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xfa0] io& 8P!nrm fa0]"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**fa0] io& 8P7!mm fa0]"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x $^ io& 8P!nqm $^"d;DPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x** $^ io& 8P!mm $^"d;DPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**C$^ io& 8P!mm C$^"d;DPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**C$^ io& 8P?!mm C$^"d;DPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser v**xC$^ io& 8P!nrm C$^"d;DPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**C$^ io& 8P7!mm C$^"d;DPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xͼC^ io& 8P!nqm ͼC^"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**ͼC^ io& 8P!mm ͼC^"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**oмC^ io& 8P!mm oмC^"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**oмC^ io& 8P?!mm oмC^"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xoмC^ io& 8P!nrm oмC^"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**oмC^ io& 8P7!mm oмC^"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xcX_^ io& 8P!nqm cX_^"d;<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**cX_^ io& 8P!mm cX_^"d;<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**cZ_^ io& 8P!mm cZ_^"d;<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**cZ_^ io& 8P?!mm cZ_^"d;<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser >**xcZ_^ io& 8P!nrm cZ_^"d;<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**cZ_^ io& 8P7!mm cZ_^"d;<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x$m^ io& 8P!nqm $m^"d;4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**xD 'm^ io& 8P!nrm D 'm^"d;4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Corx**D 'm^ io& 8P7!mm D 'm^"d;4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xAm^ io& 8P!nqm Am^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ndox**Am^ io& 8P{!mm Am^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ":start.bat - _wce_D:\rfid\Sip2server\start.bat**\m^ io& 8P!mm \m^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batroso**\m^ io& 8P!mm \m^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe***\m^ io& 8P?!mm \m^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x\m^ io& 8P!nrm \m^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &pacx**\m^ io& 8P7!mm \m^Njp Qjp`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii/Op**x~Wn^ io& 8P!nqm ~Wn^Njp QjpNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &*x**~Wn^ io& 8P!mm ~Wn^Njp QjpNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batroso**vWn^ io& 8P!mm vWn^Njp QjpNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe***vWn^ io& 8P?!mm vWn^Njp QjpNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xvWn^ io& 8P!nrm vWn^Njp QjpNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &pacx**vWn^ io& 8P7!mm vWn^Njp QjpNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii/Op**x n^ io& 8P!nqm n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &*x** n^ io& 8P!mm n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c &Zstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batt-W** n^ io& 8P!mm n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batS**n썝n^ io& 8P!mm n썝n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exed**n썝n^ io& 8P?!mm n썝n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xn썝n^ io& 8P!nrm n썝n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ppDx**n썝n^ io& 8P7!mm n썝n^Njp QjppDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iirat**x@n^ io& 8P!nqm @n^Njp QjpxLJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wx**x!n^ io& 8P!nrm !n^Njp QjpxLJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wx**!n^ io& 8P7!mm !n^Njp QjpxLJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x^v o~^ io& 8P!nqm ^v o~^"d;#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wx**^v o~^ io& 8P!mm ^v o~^"d;#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batft-W** o~^ io& 8P!mm o~^"d;#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe-W** o~^ io& 8P?!mm o~^"d;#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowsert-W**x o~^ io& 8P!nrm o~^"d;#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wxdows-Shell-C io& 8Pwset-Wdows-Shell-Core/Operational ElfChnkDܔi>f=f?mMF  &** o~^ io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P!mm o~^"d;#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}J>>D EventDataACfoData#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached iiCor**hU+^ io& 8P9!nqm hU+^"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &| p)c>**hU+^ io& 8P5!mm hU+^"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c 1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batroso**W+^ io& 8P!mm W+^"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exedo**W+^ io& 8P?!mm W+^"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowserona**xW+^ io& 8P!nrm W+^"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**W+^ io& 8P7!mm W+^"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xc _ io& 8P!nqm c _"d;|QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**c _ io& 8P!mm c _"d;|QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**e _ io& 8P!mm e _"d;|QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **e _ io& 8P?!mm e _"d;|QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xe _ io& 8P!nrm e _"d;|QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**e _ io& 8P7!mm e _"d;|QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x(_ io& 8P!nqm (_"d;tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**(_ io& 8P!mm (_"d;tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**O[(_ io& 8P!mm O[(_"d;tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe y**O[(_ io& 8P?!mm O[(_"d;tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xO[(_ io& 8P!nrm O[(_"d;tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**O[(_ io& 8P7!mm O[(_"d;tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xG_ io& 8P!nqm G_"d;,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**G_ io& 8P!mm G_"d;,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**WG_ io& 8P!mm WG_"d;,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **WG_ io& 8P?!mm WG_"d;,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xWG_ io& 8P!nrm WG_"d;,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**WG_ io& 8P7!mm WG_"d;,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x ^`_ io& 8P!nqm ^`_"d;\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x** ^`_ io& 8P!mm ^`_"d;\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra** Ia`_ io& 8P!mm Ia`_"d;\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe "** Ia`_ io& 8P?!mm Ia`_"d;\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x Ia`_ io& 8P!nrm Ia`_"d;\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**Ia`_ io& 8P7!mm Ia`_"d;\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xz9_ io& 8P!nqm z9_"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**z9_ io& 8P!mm z9_"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**jܬ9_ io& 8P!mm jܬ9_"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **jܬ9_ io& 8P?!mm jܬ9_"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xjܬ9_ io& 8P!nrm jܬ9_"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**jܬ9_ io& 8P7!mm jܬ9_"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x~_ io& 8P!nqm ~_"d;%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**~_ io& 8P!mm ~_"d;%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**_ io& 8P!mm _"d;%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe ;g**_ io& 8P?!mm _"d;%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x_ io& 8P!nrm _"d;%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**_ io& 8P7!mm _"d;%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xnH` io& 8P!nqm nH`"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**nH` io& 8P!mm nH`"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**٪` io& 8P!mm ٪`"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe nT**٪` io& 8P?!mm ٪`"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x٪` io& 8P!nrm ٪`"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x** ٪` io& 8P7!mm ٪`"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x!` io& 8P!nqm `"d;#!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**"` io& 8P!mm `"d;#"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**#` io& 8P!mm `"d;##J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **$` io& 8P?!mm `"d;#$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x%` io& 8P!nrm `"d;#%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**&` io& 8P7!mm `"d;#&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x'^o` io& 8P!nqm ^o`"d;,'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**(^o` io& 8P!mm ^o`"d;,(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**)q` io& 8P!mm q`"d;,)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe ***q` io& 8P?!mm q`"d;,*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x+q` io& 8P!nrm q`"d;,+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**,q` io& 8P7!mm q`"d;,,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x-L` io& 8P!nqm L`"d;8-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**.L` io& 8P!mm L`"d;8.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**/ZuM` io& 8P!mm ZuM`"d;8/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe |**0ZuM` io& 8P?!mm ZuM`"d;80J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x1ZuM` io& 8P!nrm ZuM`"d;81J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**2ZuM` io& 8P7!mm ZuM`"d;82J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x3i1` io& 8P!nqm i1`"d;.3J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**4i1` io& 8P!mm i1`"d;.4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**5̊1` io& 8P!mm ̊1`"d;.5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe G**6̊1` io& 8P?!mm ̊1`"d;.6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x7̊1` io& 8P!nrm ̊1`"d;.7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**8̊1` io& 8P7!mm ̊1`"d;.8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x9YgIa io& 8P!nqm YgIa"d;xJ9J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**:iIa io& 8P!mm iIa"d;xJ:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**;iIa io& 8P!mm iIa"d;xJ;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe K**<iIa io& 8P?!mm iIa"d;xJ<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x=iIa io& 8P!nrm iIa"d;xJ=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**>iIa io& 8P7!mm iIa"d;xJ>J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x?Cʽha io& 8P!nqm Cʽha"d;$?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**@Cʽha io& 8P!mm Cʽha"d;$@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**A ͽha io& 8P!mm ͽha"d;$AJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe Y**B ͽha io& 8P?!mm ͽha"d;$BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xC ͽha io& 8P!nrm ͽha"d;$CJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**D ͽha io& 8P7!mm ͽha"d;$DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xE0a io& 8P!nqm 0a"d;)EJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**F0a io& 8P!mm 0a"d;)FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**G3a io& 8P!mm 3a"d;)GJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **H3a io& 8P?!mm 3a"d;)HJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xI3a io& 8P!nrm 3a"d;)IJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**J3a io& 8P7!mm 3a"d;)JJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xKpa io& 8P!nqm pa"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**Lpa io& 8P!mm pa"d;LJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**Mj/pa io& 8P!mm j/pa"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **Nj/pa io& 8P?!mm j/pa"d;NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xOj/pa io& 8P!nrm j/pa"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**Pj/pa io& 8P7!mm j/pa"d;PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xQ:ɚb io& 8P!nqm :ɚb"d;&QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**R:ɚb io& 8P!mm :ɚb"d;&RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**S+b io& 8P!mm +b"d;&SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe v**T+b io& 8P?!mm +b"d;&TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xU+b io& 8P!nrm +b"d;&UJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**V+b io& 8P7!mm +b"d;&VJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xWb1b io& 8P!nqm b1b"d;NWJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**Xb1b io& 8P!mm b1b"d;NXJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**Y5e1b io& 8P!mm 5e1b"d;NYJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **Z5e1b io& 8P?!mm 5e1b"d;NZJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x[5e1b io& 8P!nrm 5e1b"d;N[J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**\5e1b io& 8P7!mm 5e1b"d;N\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x]Mb io& 8P!nqm Mb"d;S]J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & id\x**^Mb io& 8P!mm Mb"d;S^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batstra**_kMb io& 8P!mm kMb"d;S_J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe >**`kMb io& 8P?!mm kMb"d;S`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xakMb io& 8P!nrm kMb"d;SaJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**bkMb io& 8P7!mm kMb"d;SbJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xcMrHlb io& 8P!nqm MrHlb"d;xLcJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**dMrHlb io& 8P!mm MrHlb"d;xLdJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batm^N**eJlb io& 8P!mm Jlb"d;xLeJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeic**fJlb io& 8P?!mm Jlb"d;xLfJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowsert-W**xgJlb io& 8P!nrm Jlb"d;xLgJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**hJlb io& 8P7!mm Jlb"d;xLhJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iie**xin =f?mMF &**hzqc io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8PU!nqm zqc"d;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c.">D EventDatah**zqc io& 8PG!mm zqc"d;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c 1cᆫ}Q4?A_>A1 oData=Name A! =AppID A! =Flags ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat &ΰ**cܑqc io& 8P!mm cܑqc"d;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**cܑqc io& 8P?!mm cܑqc"d;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowserMic**xcܑqc io& 8P!nrm cܑqc"d;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**cܑqc io& 8Pk!mm cܑqc"d;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}>A1 #= ItemsExisting A+ = ItemsAdded A/ != ItemsRemoved A/ != ItemsUpdated A- = ItemsCached ii**xxc io& 8P!nqm xc"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**xc io& 8P!mm xc"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**Sexc io& 8P!mm Sexc"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Sexc io& 8P?!mm Sexc"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser **xSexc io& 8P!nrm Sexc"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Sexc io& 8P7!mm Sexc"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xV#!c io& 8P!nqm V#!c"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**V#!c io& 8P!mm V#!c"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**_&!c io& 8P!mm _&!c"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**_&!c io& 8P?!mm _&!c"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser y**x_&!c io& 8P!nrm _&!c"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**_&!c io& 8P7!mm _&!c"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x#ȒIc io& 8P!nqm #ȒIcNjpyjpLNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**#ȒIc io& 8PQ!mm #ȒIcNjpyjpLNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB1***Ic io& 8PQ!mm *IcNjpyjpLNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB8.**x*Ic io& 8P!nrm *IcNjpyjpLNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**׌Ic io& 8P7!mm ׌Ic]LNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x*c io& 8P!nqm *c"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x***c io& 8P!mm *c"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**p*c io& 8P!mm p*c"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**W *c io& 8P?!mm W *c"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x[*c io& 8P!nrm [*c"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx***c io& 8P7!mm *c"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x /nd io& 8P!nqm /nd"d;pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x** /nd io& 8P!mm /nd"d;pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**1nd io& 8P!mm 1nd"d;pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**1nd io& 8P?!mm 1nd"d;pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x1nd io& 8P!nrm 1nd"d;pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**1nd io& 8P7!mm 1nd"d;pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xs(#d io& 8P!nqm s(#d"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**s(#d io& 8P!mm s(#d"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**Њ%d io& 8P!mm Њ%d"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Њ%d io& 8P?!mm Њ%d"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**xЊ%d io& 8P!nrm Њ%d"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**Њ%d io& 8P7!mm Њ%d"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x4Td io& 8P!nqm 4Td"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**4Td io& 8P!mm 4Td"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**_z6Td io& 8P!mm _z6Td"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**_z6Td io& 8P?!mm _z6Td"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x_z6Td io& 8P!nrm _z6Td"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**_z6Td io& 8P7!mm _z6Td"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xJid io& 8P!nqm Jid"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Jid io& 8P!mm Jid"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**|id io& 8P!mm |id"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**|id io& 8P?!mm |id"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x|id io& 8P!nrm |id"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**|id io& 8P7!mm |id"d;KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xjU7e io& 8P!nqm jU7e"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**4X7e io& 8P!mm 4X7e"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**4X7e io& 8P!mm 4X7e"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**4X7e io& 8P?!mm 4X7e"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x4X7e io& 8P!nrm 4X7e"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**4X7e io& 8P7!mm 4X7e"d;OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xyVe io& 8P!nqm yVe"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**yVe io& 8P!mm yVe"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**"{Ve io& 8P!mm "{Ve"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**"{Ve io& 8P?!mm "{Ve"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x"{Ve io& 8P!nrm "{Ve"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**"{Ve io& 8P7!mm "{Ve"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xre io& 8P!nqm re"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**re io& 8P!mm re"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**^=re io& 8P!mm ^=re"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**^=re io& 8P?!mm ^=re"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x^=re io& 8P!nrm ^=re"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**^=re io& 8P7!mm ^=re"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x06e io& 8P!nqm 06e"d;DEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**06e io& 8P!mm 06e"d;DEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**48e io& 8P!mm 48e"d;DEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**48e io& 8P?!mm 48e"d;DEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x48e io& 8P!nrm 48e"d;DEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**48e io& 8P7!mm 48e"d;DEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xیf io& 8P!nqm یf"d;lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**یf io& 8P!mm یf"d;lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**3f io& 8P!mm 3f"d;lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**3f io& 8P?!mm 3f"d;lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x3f io& 8P!nrm 3f"d;lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**3f io& 8P7!mm 3f"d;lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xw@ f io& 8P!nqm w@ f"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**w@ f io& 8P!mm w@ f"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S** @ f io& 8P!mm @ f"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe** @ f io& 8P?!mm @ f"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x @ f io& 8P!nrm @ f"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx** @ f io& 8P7!mm @ f"d;5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x3;f io& 8P!nqm 3;f"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**=6;f io& 8P!mm =6;f"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**=6;f io& 8P!mm =6;f"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**=6;f io& 8P?!mm =6;f"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x=6;f io& 8P!nrm =6;f"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**=6;f io& 8P7!mm =6;f"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xkcZf io& 8P!nqm kcZf"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Zf io& 8P!mm Zf"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**Zf io& 8P!mm Zf"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Zf io& 8P?!mm Zf"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**xZf io& 8P!nrm Zf"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**Zf io& 8P7!mm Zf"d;FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x)Lf io& 8P!nqm )Lf"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**)Lf io& 8P!mm )Lf"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**+Lf io& 8P!mm +Lf"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**+Lf io& 8P?!mm +Lf"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x+Lf io& 8P!nrm +Lf"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**+Lf io& 8P7!mm +Lf"d;MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x f io& 8P!nqm f"d;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x** f io& 8P!mm f"d;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**Nmf io& 8P!mm Nmf"d;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Nmf io& 8P?!mm Nmf"d;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**xNmf io& 8P!nrm Nmf"d;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**Nmf io& 8P7!mm Nmf"d;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xaBg io& 8P!nqm aBg"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**aBg io& 8P!mm aBg"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**Dg io& 8P!mm Dg"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Dg io& 8P?!mm Dg"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**xDg io& 8P!nrm Dg"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**Dg io& 8P7!mm Dg"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x\g2$g io& 8P!nqm \g2$g"d;L#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**\g2$g io& 8P!mm \g2$g"d;L#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**{i2$g io& 8P!mm {i2$g"d;L#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**{i2$g io& 8P?!mm {i2$g"d;L#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x{i2$g io& 8P!nrm {i2$g"d;L#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**{i2$g io& 8P7!mm {i2$g"d;L#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xԵg io& 8P!nqm ԵgW"nFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**5g io& 8P!mm 5gW"nFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**5g io& 8P!mm 5gW"nFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**5g io& 8P?!mm 5gW"nFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**x5g io& 8P!nrm 5gW"nFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**5g io& 8P7!mm 5gW"nFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xe'g io& 8P!nqm e'g"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**e'g io& 8P!mm e'g"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S**B*g io& 8P!mm B*g"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**B*g io& 8P?!mm B*g"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**xB*g io& 8P!nrm B*g"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx** B*g io& 8P7!mm B*g"d; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**x 0g io& 8P!nqm 0g"d;PI J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x** 0g io& 8P!mm 0g"d;PI J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batws-S** d0g io& 8P!mm d0g"d;PI J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe** d0g io& 8P?!mm d0g"d;PI J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser-8.**xd0g io& 8P!nrm d0g"d;PIJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**d0g io& 8P7!mm d0g"d;PIJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xg io& 8P!nqm gW"n(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Ug io& 8PQ!mm UgW"n(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB-Sll-Coren30'|D io& 8P :R%iiwset-Wdows-Shell-Core/Operational ElfChnkhu]=P> =f?mMF1_& **hUg io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8PU!nrm UgW"n(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c.">D EventDatah**`g io& 8P}!mm `gW"n(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% :R%&Gm3}.">AC oData#= ItemsExisting A+ = ItemsAdded A/ != ItemsRemoved A/ != ItemsUpdated A- = ItemsCached ii**xirg io& 8P!nqm irg"d;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &or\x**Hrg io& 8P5!mm Hrg"d;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c11cᆫ}Q4?A_|>A =Name A! =AppID A! =Flags ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat!**Hrg io& 8P!mm Hrg"d;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exedo**Hrg io& 8P?!mm Hrg"d;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser****xHrg io& 8P!nrm Hrg"d;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &**x**Hrg io& 8P7!mm Hrg"d;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% iiid\**x'\h io& 8P!nqm '\h"d;SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**f4*\h io& 8P!mm f4*\h"d;SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batroso**f4*\h io& 8P!mm f4*\h"d;SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**f4*\h io& 8P?!mm f4*\h"d;SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser****xf4*\h io& 8P!nrm f4*\h"d;SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &**x**f4*\h io& 8P7!mm f4*\h"d;SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% iiid\**x %|h io& 8P!nqm %|h"d;D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**!Y|h io& 8P!mm Y|h"d;D!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batroso**"Y|h io& 8P!mm Y|h"d;D"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**#Y|h io& 8P?!mm Y|h"d;D#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser****x$Y|h io& 8P!nrm Y|h"d;D$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &**x**%Y|h io& 8P7!mm Y|h"d;D%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% iiA39**x&2#fh io& 8P!nqm 2#fh"d;<&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & 1x**'2#fh io& 8P!mm 2#fh"d;<'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**(fh io& 8P!mm fh"d;<(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exed**)fh io& 8P?!mm fh"d;<)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser***x*fh io& 8P!nrm fh"d;<*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**+fh io& 8P7!mm fh"d;<+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii6\K**x,E|h io& 8P!nqm E|h"d;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx**-~h io& 8P!mm ~h"d;-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**.C h io& 8P!mm C h"d;.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exed**/C h io& 8P?!mm C h"d;/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser***x0C h io& 8P!nrm C h"d;0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**1C h io& 8P7!mm C h"d;1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii6\K**x2%i io& 8P!nqm %i"d;$2J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx**3i%i io& 8P!mm i%i"d;$3J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**4i%i io& 8P!mm i%i"d;$4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exed**5i%i io& 8P?!mm i%i"d;$5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser***x6i%i io& 8P!nrm i%i"d;$6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**7i%i io& 8P7!mm i%i"d;$7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii6\K**x8VBEi io& 8P!nqm VBEi"d;K8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx**9TBEi io& 8P!mm TBEi"d;K9J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**:TBEi io& 8P!mm TBEi"d;K:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exed**;TBEi io& 8P?!mm TBEi"d;K;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser***x<TBEi io& 8P!nrm TBEi"d;K<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**=TBEi io& 8P7!mm TBEi"d;K=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii6\K**x>``i io& 8P!nqm ``i"d;@G>J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx**?``i io& 8P!mm ``i"d;@G?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**@b`i io& 8P!mm b`i"d;@G@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exed**Ab`i io& 8P?!mm b`i"d;@GAJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowser***xBb`i io& 8P!nrm b`i"d;@GBJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Cb`i io& 8P7!mm b`i"d;@GCJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii6\K**(DEF} io& 8P! EF}|sDHDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_f6!yƒpd>A) = LogonType A' =TaskName AllLogonTasks(**EEF} io& 8PG! EF}|sDHEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreDesktopSwitchTasksd**FEF} io& 8P/! EF}|sDHFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ShellPrepe"**GEF} io& 8P/! EF}|sDHGJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ShellPrep**HEF} io& 8PO! EF}|sDHHJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_4AppReadinessPreShellGroup8**IEF} io& 8P5! EF}|sDHIJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_SkydrivePrep****JEF} io& 8P5! EF}|sDHJJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_SkydrivePrep-8.**KEF} io& 8P+! EF}|sDHKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_RunOnceܐ**LEF} io& 8P+! EF}|sDHLJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_RunOnce**MEF} io& 8P3! EF}|sDHMJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ActiveSetup**N } io& 8P3! }|sDHNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ActiveSetupa**O } io& 8PC! }|sDHOJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_(WaitForMSAConnected**PVm} io& 8PC! Vm}|sDHPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_(WaitForMSAConnectedR**QVm} io& 8PG! Vm}|sDHQJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreConfigLauncherSyncMic**RVm} io& 8PG! Vm}|sDHRJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreConfigLauncherSync/Op**SVm} io& 8PG! Vm}|sDHSJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreDesktopSwitchTasksona**TVm} io& 8P;! Vm}|sDHTJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ PerUserServicest**UVm} io& 8P;! Vm}|sDHUJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ PerUserServicesW**VVm} io& 8P7! Vm}|sDHVJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_PreShellTasks***WVm} io& 8PE! Vm}|sDHWJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_*RoamingPayloads0and1Mic**XVm} io& 8PE! Vm}|sDHXJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_*RoamingPayloads0and1en30'**YVm} io& 8PO! Vm}|sDHYJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_4AppReadinessPreShellGrouposo**ZVm} io& 8P3! Vm}|sDHZJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_AppResolverl**[} io& 8P!mm }|sDH[J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYYEYM~q; g&h\>A' =Scenario A! =Flags  Cor**\} io& 8P3! }o<DH\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_AppResolverW**]} io& 8P7! }o<DH]J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_PreShellTasksoso**^} io& 8P9! }o<D^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ShellInitTasksor**_} io& 8P9! }o<D_J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ShellInitTasksor**`3} io& 8P7! 3}W"RD`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_PreStartTaskst-W**a3} io& 8P;! 3}W"RDaJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ RoamingPayload2**b3} io& 8PI! 3}W"RDbJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_.AppReadinessLogonGroup**c3} io& 8P=! 3}W"RDcJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_"UpdatePCSettings!**d3} io& 8P=! 3}W"RDdJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_"UpdatePCSettingsl**e3} io& 8P;! 3}W"RDeJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ RoamingPayload2**f3} io& 8PI! 3}W"RDfJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_.AppReadinessLogonGroup-W**g3} io& 8P7! 3}W"RDgJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_PreStartTasksm**h3} io& 8P7! 3}W"RDhJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_AllLogonTasks**i3} io& 8P;! 3}W"RDiJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ RoamingPayload3@**j3} io& 8P;! 3}W"RDjJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ RoamingPayload3**k3} io& 8P[! 3}W"RDkJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_@AppReadinessNotifyLogonComplete**l3} io& 8P[! 3}W"RDlJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_@AppReadinessNotifyLogonComplete**m3} io& 8PE! 3}W"RDmJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_*ARSFirstRunTelemetry**n3} io& 8PE! 3}W"RDnJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_*ARSFirstRunTelemetry****xoU?} io& 8P!nqm U?}xrDoJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &gx**p|$} io& 8P!mm |$}xrDpJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**q|$} io& 8P!mm |$}xrDqJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeJ-**r&} io& 8P?!mm &}xrDrJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1 gOmȉhVTSBrowsers-S**s&} io& 8PQ!mm &}xrDsJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1"Firefox308046B0AF4A39CB**xt5R)} io& 8P!nrm 5R)}xrDtJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**u5R)} io& 8P7!mm 5R)}xrDuJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii**0v˦} io& 8P!%% ˦}xrDxvJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 3"E>2>A% =KeyName \Software\Microsoft\Windows\CurrentVersion\RunMic0**w˦} io& 8Po!%% ˦}xrDxwJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runn30'**x˦} io& 8Po!%% ˦}xrDxxJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run 1**Hy["} io& 8P!%% ["}}}DxyJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں_,ں # >2>A% =Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autoruntor\H**pz93#} io& 8P !%% 93#}}}DxzJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Ym.C HXOagbV>A =PID A% =Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunp**{93#} io& 8P!!%% 93#}}}Dx{J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologini**| 5#} io& 8P)!%% 5#}}}Dx|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinor**} 5#} io& 8Po!%% 5#}}}Dx}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runoso**~<#} io& 8Po!%% <#}}}~J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run**<#} io& 8P!%% <#}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"30'**#} io& 8P!%% #}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m. "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"i**#} io& 8P!%% #}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**#} io& 8Pw!%% #}}}DxJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOnce**#} io& 8Pw!%% #}}}DxJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOnce**!$} io& 8P!%% !$}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m. "D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**(!$} io& 8P!%% !$}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunOp(**0y$} io& 8P!%% y$}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun80**y$} io& 8Po!%% y$}}}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run**x0}:} io& 8P!nqm 0}:}0D8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ppDx**0}:} io& 8PQ!mm 0}:}0D8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1"Firefox308046B0AF4A39CB**x0}:} io& 8P!nrm 0}:}0D8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**U:} io& 8P7!mm U:}0D8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii :R**xы3 io& 8P!nqm ы3W"RDtJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**ы3 io& 8PQ!mm ы3W"RDtJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1"Firefox308046B0AF4A39CBT**xы3 io& 8P!nrm ы3W"RDtJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**ы3 io& 8P7!mm ы3W"RDtJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii**Ӳ, io& 8P7! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_AllLogonTasksgW"**Ӳ, io& 8PG! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreDesktopSwitchTasks***Ӳ, io& 8P/! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ShellPrepJ-**Ӳ, io& 8P/! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ShellPrept-W**Ӳ, io& 8PO! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_4AppReadinessPreShellGroupd**Ӳ, io& 8P5! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_SkydrivePrep**Ӳ, io& 8P5! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_SkydrivePrep**Ӳ, io& 8P+! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_RunOnce**Ӳ, io& 8P+! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_RunOnce**Ӳ, io& 8P3! Ӳ,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ActiveSetup**٨, io& 8P3! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ActiveSetupt**٨, io& 8PC! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_(WaitForMSAConnectedd**٨, io& 8PC! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_(WaitForMSAConnectedl**٨, io& 8PG! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreConfigLauncherSyncCor**٨, io& 8PG! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreConfigLauncherSync**٨, io& 8PG! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_,PreDesktopSwitchTasksU**٨, io& 8P;! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f_ PerUserServicesSll-Coren30'|D io& 8P :R%iiwset-Wdows-Shell-Core/Operational ElfChnk**YqR>f=f?mMF5AJBG14&I?**٨, io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ff6!yƒ>D EventDataA;foData= LogonType A'f=TaskName  PerUserServices**٨, io& 8P7! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasksved**٨, io& 8PE! ٨,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1en30'**F<, io& 8PE! F<,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1hell**F<, io& 8PO! F<,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroup**F<, io& 8P3! F<,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolvere**F<, io& 8P!mm F<,|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYEYM~q; g&h\>A'f=Scenario A!f=Flags  **F<, io& 8P3! F<,o,0=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolver**F<, io& 8P7! F<,o,0=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasksP**F<, io& 8P9! F<,o,0= J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksd**F<, io& 8P9! F<,o,0= J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasks**G ^, io& 8P7! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksS\X**G ^, io& 8P;! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2**G ^, io& 8PI! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroup***G ^, io& 8P=! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettings **G ^, io& 8P=! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettings**G ^, io& 8P;! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2a**G ^, io& 8PI! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGrouper**G ^, io& 8P7! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksndo**G ^, io& 8P7! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTaskst-W**G ^, io& 8P;! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3p**G ^, io& 8P;! G ^,Q0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3p**G ^, io& 8P[! G ^,Q0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**G ^, io& 8P[! G ^,Q0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompletet**G ^, io& 8PE! G ^,Q0TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetryen30'**G ^, io& 8PE! G ^,Q0TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry|DQR**", io& 8P9!nqm ",xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14&| p)c>-S**p, io& 8P5!mm p,xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c51cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batJ-**p, io& 8P!mm p,xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeJ-**p, io& 8P?!mm p,xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowser8**^ӱ, io& 8PQ!mm ^ӱ,xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5"Firefox308046B0AF4A39CB**x^ӱ, io& 8P!nrm ^ӱ,xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14!x**^ӱ, io& 8Pk!mm ^ӱ,xr,0/8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached ii**0t], io& 8P!%% t],TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational B3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Run0**t], io& 8Po!%% t],TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational B\Software\Microsoft\Windows\CurrentVersion\Run**t], io& 8Po!%% t],TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational B\Software\Microsoft\Windows\CurrentVersion\Run8**Ht], io& 8P!%% t],TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںG_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunws-SH**p, io& 8P !%% ,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.AJm.C HXOagbV>Af=PID A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun"p**, io& 8P!!%% ,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںG"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinic**{u, io& 8P)!%% {u,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.AJ"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin***{u, io& 8Po!%% {u,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational B\Software\Microsoft\Windows\CurrentVersion\Run**, io& 8Po!%% ,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational B\Software\Microsoft\Windows\CurrentVersion\Rund**, io& 8P!%% ,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںG"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"so**^ , io& 8P!%% ^ ,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.AJ"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"-W**^ , io& 8P!%% ^ ,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںG"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"-W**S, io& 8P!%% S,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.AJh"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**(S, io& 8P!%% S,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںG"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun(**-, io& 8Pw!%% -,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational BdSoftware\Microsoft\Windows\CurrentVersion\RunOnce**-, io& 8Pw!%% -,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational BdSoftware\Microsoft\Windows\CurrentVersion\RunOnce**0$, io& 8P!%% $,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.AJ,"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunic0**$, io& 8Po!%% $,TQ0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational B\Software\Microsoft\Windows\CurrentVersion\Runrat**x۬". io& 8P!nqm ۬".`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Micx**x۬". io& 8P!nrm ۬".`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14s-Sx**8". io& 8P7!mm 8".`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?iis-S**x4&. io& 8P!nqm 4&.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14osox**4&. io& 8P!mm 4&.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat-Cor**䖵&. io& 8P!mm 䖵&.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **䖵&. io& 8P?!mm 䖵&.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowserVm**x䖵&. io& 8P!nrm 䖵&.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14MSAx**䖵&. io& 8P7!mm 䖵&.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?iiCon**xe]`(. io& 8P!nqm e]`(.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14/Opx**e]`(. io& 8P!mm e]`(.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeTa**b(. io& 8P?!mm b(.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowserice**xb(. io& 8P!nrm b(.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14x**b(. io& 8P7!mm b(.`r1TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?ii**xT. io& 8P!nqm T.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Corx**T. io& 8P!mm T.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5&Zstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat0an**7)T. io& 8P!mm 7)T.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**7)T. io& 8P?!mm 7)T.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowser**x7)T. io& 8P!nrm 7)T.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14o x**7)T. io& 8P7!mm 7)T.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?iirat**xd. io& 8P!nqm d.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14s-Sx**d. io& 8P{!mm d.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5":start.bat - _wce_D:\rfid\Sip2server\start.bat**Dd. io& 8P!mm Dd.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Dd. io& 8P?!mm Dd.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowser**xDd. io& 8P!nrm Dd.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &143x**Vd. io& 8P7!mm Vd.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?ii****xCk. io& 8P!nqm Ck.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Upx**Ck. io& 8P!mm Ck.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**Ck. io& 8P!mm Ck.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**k. io& 8P?!mm k.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowser}W"**xk. io& 8P!nrm k.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &148x**k. io& 8P7!mm k.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?ii8**x p. io& 8P!nqm p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14x** p. io& 8P!mm p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat** p. io& 8P!mm p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exedo**4#p. io& 8P!mm 4#p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5&:cSstart.bat - _wce_D:\rfid\Sip2server\start.batQR**4#p. io& 8P?!mm 4#p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowsern30'**x4#p. io& 8P!nrm 4#p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Micx**4#p. io& 8P7!mm 4#p.`r1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?iiell**xmUR" io& 8P!nqm mUR"|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Px**mUR" io& 8PQ!mm mUR"|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5"Firefox308046B0AF4A39CB&**xmUR" io& 8P!nrm mUR"|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14x**mUR" io& 8P7!mm mUR"|s,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?ii046**xNU io& 8P!nqm NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14ratx** z(NU io& 8P!mm z(NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5xS}~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\uninst.exe  **(z(NU io& 8P!mm z(NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe0(**/f-NU io& 8P!mm /f-NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat***2NU io& 8P!mm *2NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe***2NU io& 8P!mm *2NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5&:cSstart.bat - _wce_D:\rfid\Sip2server\start.bat**O4NU io& 8P?!mm O4NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowserC**(O4NU io& 8P!mm O4NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exeDat(**(6NU io& 8P!mm 6NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe/Op(**x6NU io& 8P!nrm 6NUW"D,0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14x** >NU io& 8P7!mm >NUW"D,0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?ikoso**x B] io& 8P!nqm B]|s,0d3 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Sox**x 1D] io& 8P!nrm 1D]|s,0d3 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Micx** rD] io& 8P7!mm rD]|s,0d3 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?kk**x . io& 8P!nqm .F,0@& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14o&x**2 io& 8P!mm 2F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**h7 io& 8P!mm h7F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**9 io& 8P!mm 9F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5&:cSstart.bat - _wce_D:\rfid\Sip2server\start.bat**9 io& 8P?!mm 9F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowserxe"**x_< io& 8P!nrm _<F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14x**(_< io& 8P!mm _<F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe0(** _< io& 8P!mm _<F,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5xS}~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\uninst.exe ona **#A io& 8P7!mm #AW"D,0@&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?kit-W**xs io& 8P!nqm sW"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14t-Wx**  io& 8P!mm W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5xS}~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\uninst.exe U: **($l io& 8P!mm $lW"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe0D(**˕ io& 8P!mm ˕W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bato**4A io& 8P!mm 4AW"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exell**g io& 8P!mm gW"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5&:cSstart.bat - _wce_D:\rfid\Sip2server\start.bat** io& 8P?!mm W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowser**( io& 8P!mm W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe*(**( io& 8P!mm W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exerat(**x io& 8P!nrm W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14s-Sx** 6K io& 8P7!mm 6KW"D,0+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?kkoso**x!۶E io& 8P!nqm ۶EF,0d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14ellx**"{J io& 8P!mm {JF,0d"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bata**#{J io& 8P!mm {JF,0d#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**$L io& 8P!mm LF,0d$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5&:cSstart.bat - _wce_D:\rfid\Sip2server\start.bat|s**%L io& 8P?!mm LF,0d%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 gOmȉhVTSBrowser**x&L io& 8P!nrm LF,0d&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Px**('L io& 8P!mm LF,0d'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5 ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe0s-S(** (L io& 8P!mm LF,0d(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5xS}~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\uninst.exe ona **)_ io& 8P7!mm _W"D,0d)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I?ki/Op**x* :| io& 8P!nqm :|W"D,0*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &14Micxsoft-Windows io& 8PSemm D~<|W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c5nal ElfChnk++(0hV>f=f?mMF94ɉ&**+D~<| io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P!mm D~<|W"D,0+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1cᆫ}Q4?A_>D EventDataA1foData=Name A!f=AppID A!f=Flags xS}~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\uninst.exe s**(,=| io& 8P!mm =|W"D,0,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe0Mic(**-PS>| io& 8P!mm PS>|W"D,0-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**.>| io& 8P!mm >|W"D,0.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe***/=?| io& 8P!mm =?|W"D,0/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&:cSstart.bat - _wce_D:\rfid\Sip2server\start.bat**07?| io& 8P?!mm 7?|W"D,00J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowser **(1zO@| io& 8P!mm zO@|W"D,01J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe F<(**(2 :A| io& 8P!mm :A|W"D,02J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exeQR(**3 :A| io& 8P9!nrm :A|W"D,03J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c>QR**4GD| io& 8Pk!mm GD|W"D,04J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached kk**x5[Y  io& 8P!nqm [Y |s,0 &5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**6  io& 8P!mm |s,0 &6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batc**7  io& 8P!mm |s,0 &7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe-W**8  io& 8P!mm |s,0 &8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&:cSstart.bat - _wce_D:\rfid\Sip2server\start.bat f**9 io& 8P?!mm |s,0 &9J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowser**x: io& 8P!nrm |s,0 &:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &s-Sx**(; io& 8P!mm |s,0 &;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\BaiduNetdisk.exe0(** < io& 8P!mm |s,0 &<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cxS}~v^QvC:\Users\Administrator\AppData\Roaming\baidu\BaiduNetdisk\uninst.exe  **=v io& 8P7!mm vW"D,0&=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ki**x>w# io& 8P!nqm w#|s,0D'>J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**?w# io& 8PQ!mm w#|s,0D'?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB**x@w# io& 8P!nrm w#|s,0D'@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &G ^x**Aw# io& 8P7!mm w#|s,0D'AJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ki****(BlC io& 8P! lCW" BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94f6!yƒpd>A)f= LogonType A'f=TaskName AllLogonTasksxr(**ClC io& 8PG! lCW" CJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreDesktopSwitchTasks:\r**D WC io& 8P/! WCW" DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellPreps-S**E WC io& 8P/! WCW" EJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellPrepMic**F WC io& 8PO! WCW" FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f944AppReadinessPreShellGroupt-W**G WC io& 8P5! WCW" GJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94SkydrivePrep***H WC io& 8P5! WCW" HJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94SkydrivePrepws-S**I WC io& 8P+! WCW" IJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94RunOnce**J WC io& 8P+! WCW" JJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94RunOncel**K WC io& 8P3! WCW" KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ActiveSetup**LCC io& 8P3! CCW" LJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ActiveSetup**MCC io& 8PC! CCW" MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94(WaitForMSAConnected**NkC io& 8PC! kCW" NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94(WaitForMSAConnected **OkC io& 8PG! kCW" OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreConfigLauncherSyncCor**PkC io& 8PG! kCW" PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreConfigLauncherSync **QkC io& 8PG! kCW" QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreDesktopSwitchTasksom=**RkC io& 8P;! kCW" RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 PerUserServicesp**SkC io& 8P;! kCW" SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 PerUserServices**TkC io& 8P7! kCW" TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreShellTaskso&**UkC io& 8PE! kCW" UJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*RoamingPayloads0and1d**VC io& 8PE! CW" VJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*RoamingPayloads0and1mmon**WC io& 8PO! CW" WJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f944AppReadinessPreShellGroup m**XC io& 8P3! CW" XJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AppResolverl**YQC io& 8P!mm QCW" YJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYyZEYM~q; g&h\>A'f=Scenario A!f=Flags  Cor**ZQC io& 8P3! QC:ZJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AppResolver**[QC io& 8P7! QC:[J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreShellTasks****\QC io& 8P9! QC:\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellInitTasksws**]QC io& 8P9! QC:]J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellInitTasks**^tD io& 8P7! tDW" ^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreStartTaskst-W**_tD io& 8P;! tDW" _J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload2**`tD io& 8PI! tDW" `J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94.AppReadinessLogonGroupP**atD io& 8P=! tDW" aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94"UpdatePCSettings1**btD io& 8P=! tDW" bJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94"UpdatePCSettingsMic**ctD io& 8P;! tDW" cJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload2c**dtD io& 8PI! tDW" dJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94.AppReadinessLogonGroup30'**etD io& 8P7! tDW" eJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreStartTasks**ftD io& 8P7! tDW" fJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AllLogonTasks**gtD io& 8P;! tDW" dgJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload3**htD io& 8P;! tDW" dhJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload3**itD io& 8P[! tDW" iJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94@AppReadinessNotifyLogonComplete]**jtD io& 8P[! tDW" jJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94@AppReadinessNotifyLogonCompletec**ktD io& 8PE! tDW"  kJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*ARSFirstRunTelemetrymm**ltD io& 8PE! tDW"  lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*ARSFirstRunTelemetry **xmD7I io& 8P!nqm D7IW" mJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**n`I io& 8P!mm `IW" nJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batS**oI io& 8P!mm IW" oJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeZ**pI io& 8P!mm IW" pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&:cSstart.bat - _wce_D:\rfid\Sip2server\start.batrat**qG|I io& 8P?!mm G|IW" qJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowserCor**ruI io& 8PQ!mm uIW" rJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBQR**xsI io& 8P!nrm IW" sJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &QRx**t]QI io& 8P7!mm ]QIW" tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%kiQR**0uBdK io& 8P!%% BdKT:(uJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉ3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Runr\st0**vBdK io& 8Po!%% BdKT:(vJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉ\Software\Microsoft\Windows\CurrentVersion\Runta\**wBdK io& 8Po!%% BdKT:(wJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉ\Software\Microsoft\Windows\CurrentVersion\Runwse**HxBdK io& 8P!%% BdKT:(xJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunJ-H**py)M io& 8P !%% )MT:(yJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.yZm.C HXOagbV>Af=PID A%f=Command tDC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunCkp**z)M io& 8P!!%% )MT:(zJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin`r**{x M io& 8P)!%% x MT:({J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.X"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin-W**|x M io& 8Po!%% x MT:(|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉ\Software\Microsoft\Windows\CurrentVersion\Runrat**}\M io& 8Po!%% \MT:}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉ\Software\Microsoft\Windows\CurrentVersion\Run p**~\M io& 8P!%% \MT:~J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**Mk\M io& 8P!%% Mk\MT:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**Mk\M io& 8P!%% Mk\MT:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**M yM io& 8Pw!%% M yMT:(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉdSoftware\Microsoft\Windows\CurrentVersion\RunOnce`r**M yM io& 8Pw!%% M yMT:(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉdSoftware\Microsoft\Windows\CurrentVersion\RunOnceMic**ŝM io& 8P!%% ŝMT:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"na**(ŝM io& 8P!%% ŝMT:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunP(**0FN io& 8P!%% FNT:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorundo0**FN io& 8Po!%% FNT:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ɉ\Software\Microsoft\Windows\CurrentVersion\RunCor**x[E io& 8P!nqm [E|s: J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**[E io& 8PQ!mm [E|s: J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBna**x[E io& 8P!nrm [E|s: J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**[E io& 8P7!mm [E|s: J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ki**]? io& 8P7! ]?W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AllLogonTaskscat**]? io& 8PG! ]?W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreDesktopSwitchTaskst**) io& 8P/! )W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellPrepQR**) io& 8P/! )W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellPrepJ-**) io& 8PO! )W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f944AppReadinessPreShellGroupMic**) io& 8P5! )W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94SkydrivePrep**) io& 8P5! )W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94SkydrivePrepBaid**) io& 8P+! )W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94RunOncep**Q io& 8P+! QW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94RunOnceR**Q io& 8P3! QW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ActiveSetupa**ZI io& 8P3! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ActiveSetup**ZI io& 8PC! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94(WaitForMSAConnected**ZI io& 8PC! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94(WaitForMSAConnected**ZI io& 8PG! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreConfigLauncherSynctar**ZI io& 8PG! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreConfigLauncherSync\Ad**ZI io& 8PG! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94,PreDesktopSwitchTasksCor**ZI io& 8P;! ZIW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 PerUserServicesr**sp io& 8P;! spW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 PerUserServicesl**sp io& 8P7! spW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreShellTasksoso**sp io& 8PE! spW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*RoamingPayloads0and1@&**  io& 8PE! W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*RoamingPayloads0and1**  io& 8PO! W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f944AppReadinessPreShellGroup**  io& 8P3! W"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AppResolver**l io& 8P!mm lW"=&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYyZ tdi**l io& 8P3! lo>&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AppResolver**l io& 8P7! lo>&#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreShellTasksndo**l io& 8P9! lo>& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellInitTasks** io& 8P9! o>& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94ShellInitTasks**@ io& 8P7! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreStartTasksser**@ io& 8P;! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload2**@ io& 8PI! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94.AppReadinessLogonGroup~v**@ io& 8P=! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94"UpdatePCSettings-Cor**@ io& 8P=! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94"UpdatePCSettingsnrm**@ io& 8P;! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload2**@ io& 8PI! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94.AppReadinessLogonGroup**@ io& 8P7! @W"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94PreStartTaskst-W**8iA io& 8P7! 8iAW"=X& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94AllLogonTasks!**8iA io& 8P;! 8iAW"=X&@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload3**8iA io& 8P;! 8iAW"=X&@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94 RoamingPayload3p**8iA io& 8P[! 8iAW"=X&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94@AppReadinessNotifyLogonCompleter**8iA io& 8P[! 8iAW"=X&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94@AppReadinessNotifyLogonComplete**8iA io& 8PE! 8iAW"=X&lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*ARSFirstRunTelemetryidu\**`A io& 8PE! `AW"=X&lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f94*ARSFirstRunTelemetryl 1**x"ܛ io& 8P!nqm "ܛW"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &J-x** io& 8P!mm W"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batWdows-Shell-C io& 8Piomm HvW"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ctdows-Shell-Core/Operational 1c5nal ElfChnkBB15>f=f?mMFq11&**Hv io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8Pg!mm HvW"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1cᆫ}Q4?A_>D EventDataA1foData=Name A!f=AppID A!f=Flags t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe\uni**v io& 8P!mm vW"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&:cSstart.bat - _wce_D:\rfid\Sip2server\start.batmin** io& 8P?!mm W"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowser/Op** io& 8PQ!mm W"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBor** io& 8P9!nrm W"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1&| p)c>**n io& 8Pk!mm nW"=l&H*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached ki**0I9 io& 8P!%% I9T&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Runtdis0**I9 io& 8Po!%% I9T&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\RunDat**I9 io& 8Po!%% I9T&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run**HI9 io& 8P!%% I9T&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun IH**p' io& 8P !%% 'T&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.m.C HXOagbV>Af=PID A%f=Command t +C:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunp**' io& 8P!!%% 'T&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinJ-**A io& 8P)!%% AT&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m. +"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinOp**A io& 8Po!%% AT&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runell**H io& 8Po!%% HT<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run**o io& 8P!%% oT<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"sk**Ύ io& 8Pw!%% ΎT&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOncetra**Ύ io& 8Pw!%% ΎT&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOnce**Z io& 8P!%% ZT<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.+"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**Z io& 8P!%% ZT<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"@**` io& 8P!%% `T<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.*"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"-S**(` io& 8P!%% `T<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorune(**0k# io& 8P!%% k#T<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.,"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunWC0**k# io& 8Po!%% k#T<+@+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run**xp io& 8P!nqm p(* b(*&L!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1x**2p io& 8PQ!mm 2p(* b(*&L!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB1**ap io& 8PQ!mm ap(* b(*&L!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB**xap io& 8P!nrm ap(* b(*&L!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1o&x**qp io& 8P7!mm qpW"=&L!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ki**xt.& io& 8P!nqm t.&|s8&6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1x**t.& io& 8PQ!mm t.&|s8&6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB**xt.& io& 8P!nrm t.&|s8&6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1x**t.& io& 8P7!mm t.&|s8&6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iikC**xdV(]> io& 8P!nqm dV(]>|s^&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1MSAx**dV(]> io& 8PQ!mm dV(]>|s^&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBrS**xdV(]> io& 8P!nrm dV(]>|s^&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1 fx**dV(]> io& 8P7!mm dV(]>|s^&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iirat**x)R io& 8P!nqm )RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1osox**{R io& 8P!mm {RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bate**R io& 8P!mm RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**rR io& 8P?!mm rRW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowser**xR io& 8P!nrm RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1**x**PR io& 8P7!mm PRW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iilGr**xUI%R io& 8P!nqm UI%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1 fx**(QK%R io& 8P!mm QK%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&xrestart.bat - _wce_D:\rfid\apache-tomcat-8.5.32\webapps\Sip2server\restart.bat(**K%R io& 8P!mm K%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**L%R io& 8P!mm L%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeJ-**= M%R io& 8P?!mm = M%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowser***xR1M%R io& 8P!nrm R1M%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1x**M%R io& 8P7!mm M%RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x.R io& 8P!nqm .RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1!x**s.R io& 8P!mm s.RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batc**G.R io& 8P!mm G.RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe-W**(z^.R io& 8P!mm z^.RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*xcSrestart.bat - _wce_D:\rfid\apache-tomcat-8.5.32\webapps\Sip2server\restart.bat*(**.R io& 8P?!mm .RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowser30'**x.R io& 8P!nrm .RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1x**p.R io& 8P7!mm p.RW"=&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x U io& 8P!nqm U|sѰ&=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1/Opx**^!U io& 8PQ!mm ^!U|sѰ&=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB1f** $U io& 8PQ!mm $U|sѰ&=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBAp**x $U io& 8P!nrm $U|sѰ&=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1s-Sx**̌'U io& 8P7!mm ̌'U?&=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiMic**xrIV io& 8P!nqm rIV|s#&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1t-Wx**rIV io& 8PQ!mm rIV|s#&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBdo**xrIV io& 8P!nrm rIV|s#&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1ndox**rIV io& 8P7!mm rIV|s#&.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iim**x.BLn io& 8P!nqm .BLnW"=&?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1ex**.BLn io& 8PQ!mm .BLnW"=&?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBid**x.BLn io& 8P!nrm .BLnW"=&?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1ellx**.BLn io& 8P7!mm .BLnW"=&?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iis-S**(^| io& 8P! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1f6!yƒpd>A)f= LogonType A'f=TaskName AllLogonTasks(**^| io& 8PG! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1,PreDesktopSwitchTasks**^| io& 8P/! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1ShellPrepwar**^| io& 8P/! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1ShellPrepell**^| io& 8PO! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f14AppReadinessPreShellGrouposo**^| io& 8P5! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1SkydrivePrepindo**^| io& 8P5! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1SkydrivePrep**^| io& 8P+! ^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1RunOnce**=6^| io& 8P+! =6^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1RunOnceS**=6^| io& 8P3! =6^||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1ActiveSetupr**Za| io& 8P3! Za||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1ActiveSetupi** Za| io& 8PC! Za||srJ  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1(WaitForMSAConnected** Za| io& 8PC! Za||srJ  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1(WaitForMSAConnected** Za| io& 8PG! Za||srJ  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1,PreConfigLauncherSync** Za| io& 8PG! Za||srJ  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1,PreConfigLauncherSync**** Za| io& 8PG! Za||srJ  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1,PreDesktopSwitchTasksmon**Za| io& 8P;! Za||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1 PerUserServicesp**Za| io& 8P;! Za||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1 PerUserServicesS**Za| io& 8P7! Za||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1PreShellTasks**Za| io& 8PE! Za||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1*RoamingPayloads0and1%%**|b| io& 8PE! |b||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1*RoamingPayloads0and1io&**|b| io& 8PO! |b||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f14AppReadinessPreShellGroupt\S**|b| io& 8P3! |b||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1AppResolverp**Qd| io& 8P!mm Qd||srJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYqEYM~q; g&h\>A'f=Scenario A!f=Flags  t-W**Qd| io& 8P3! Qd|orJ& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1AppResolvero**Qd| io& 8P7! Qd|orJ& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1PreShellTasksQR**Qd| io& 8P9! Qd|orJ& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1ShellInitTasksll**Qd| io& 8P9! Qd|orJ& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1ShellInitTasksso**`'| io& 8P7! `'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1PreStartTasksoso**z'| io& 8P;! z'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1 RoamingPayload2o**z'| io& 8PI! z'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1.AppReadinessLogonGroupso**z'| io& 8P=! z'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1"UpdatePCSettingsindo**z'| io& 8P=! z'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1"UpdatePCSettingshell**z'| io& 8P;! z'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1 RoamingPayload2W** z'| io& 8PI! z'|W"1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1.AppReadinessLogonGroup-S**!z'| io& 8P7! z'|W"1 !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1PreStartTaskss-S**":(| io& 8P7! :(|W"1 "J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1AllLogonTasksCor**#:(| io& 8P;! :(|W"1 #J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1 RoamingPayload3t**$:(| io& 8P;! :(|W"1 $J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1 RoamingPayload3a**%:(| io& 8P[! :(|W"1 %J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1@AppReadinessNotifyLogonCompleteo**&:(| io& 8P[! :(|W"1 &J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1@AppReadinessNotifyLogonCompletee**':(| io& 8PE! :(|W"1 'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1*ARSFirstRunTelemetryync**(:(| io& 8PE! :(|W"1 (J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f1*ARSFirstRunTelemetryync**x)YZ| io& 8P!nqm YZ|0J \)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1x***r| io& 8P!mm r|0J \*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**+s| io& 8P!mm s|0J \+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ct_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe sp**(,Qs| io& 8P!mm Qs|0J \,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*xcSrestart.bat - _wce_D:\rfid\apache-tomcat-8.5.32\webapps\Sip2server\restart.batQR(**-zt| io& 8P?!mm zt|0J \-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c gOmȉhVTSBrowsern30'**.t| io& 8PQ!mm t|0J \.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CBQR**x/u| io& 8P!nrm u|0J \/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &1Micx**0Ov| io& 8P7!mm Ov|0J \0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iioso**1| io& 8Po!%% |Y}Y} 1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runt-W**2| io& 8Po!%% |Y}Y} 2J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run f**3| io& 8Po!%% |Y}Y} 3J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run**4ɰ| io& 8P!%% ɰ|Y}Y} 4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںtC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun**5g| io& 8P!%% g|Y}Y} 5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun**6g| io& 8P!!%% g|Y}Y} 6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinne**7pm| io& 8P)!%% pm|Y}Y} 7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.$"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin***8pm| io& 8Po!%% pm|Y}Y} 8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runell**9w| io& 8Po!%% w|Y}Y}h9J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runndo**:Ww| io& 8P!%% Ww|Y}Y}h:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"Pr**;x϶| io& 8P!%% x϶|Y}Y}h;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.|"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**<Ҷ| io& 8P!%% Ҷ|Y}Y}h<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**=ڶ| io& 8Pw!%% ڶ|Y}Y} =J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOncendo**>ڶ| io& 8Pw!%% ڶ|Y}Y} >J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOncen30'**?/Q| io& 8P!%% /Q|Y}Y}h?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"Op**(@/Q| io& 8P!%% /Q|Y}Y}h@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunܛ(**0A(ܷ| io& 8P!%% (ܷ|Y}Y}hAJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.|"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunic0**B(ܷ| io& 8Po!%% (ܷ|Y}Y}hBJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Run& io& 8PMicrosoft-Windows-Shell-Core/Operational 1ctdows-Shell-Core/Operational 1c5nal ElfChnkCCHf?c> =f?mMF QZy&**hCz_ io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8PU!nqm z_3% !CJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c.">D EventDatah**D$O_ io& 8P-!mm $O_3% !DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c 1cᆫ}Q4?A_>A1 oData=Name A! =AppID A! =Flags ":start.bat - _wce_D:\rfid\Sip2server\start.batc**Eq_ io& 8P!mm q_3% !EJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**F9_ io& 8P!mm 9_3% !FJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**(G݇_ io& 8P!mm ݇_3% !GJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *xcSrestart.bat - _wce_D:\rfid\apache-tomcat-8.5.32\webapps\Sip2server\restart.bat*(**H%_ io& 8P?!mm %_3% !HJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowserA-**xI?$ _ io& 8P!nrm ?$ _3% !IJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Micx**J _ io& 8Pk!mm _3% !JJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}>A1 #= ItemsExisting A+ = ItemsAdded A/ != ItemsRemoved A/ != ItemsUpdated A- = ItemsCached iit**xK^c io& 8P!nqm ^c3% !KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx**Lnw`c io& 8P!mm nw`c3% !LJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**M`c io& 8P!mm `c3% !MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exell**Naac io& 8P?!mm aac3% !NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser!**xOac io& 8P!nrm ac3% !OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &solx**PUac io& 8P7!mm Uac3% !PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iin30'**xQλuE io& 8P!nqm λuEW"1rJ PQJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &tolx**RuE io& 8P!mm uEW"1rJ PRJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c _O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exeo&**xS>uE io& 8P!nrm >uEW"1rJ PSJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Winx**TuE io& 8P!mm uEW"1rJ PTJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0pd**@UuE io& 8P!mm uEW"1rJ PUJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0@**VuE io& 8P7!mm uE$ PVJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%igce**xWy/xE io& 8P!nqm y/xEorJuJ PWJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Xj1xE io& 8P!mm j1xEorJuJ PXJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0"D**@Yj1xE io& 8P!mm j1xEorJuJ PYJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0ware@**@Zj1xE io& 8P!mm j1xEorJuJ PZJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exeginC@**[j1xE io& 8P!mm j1xEorJuJ P[J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c _O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exegin**x\j1xE io& 8P!nrm j1xEorJuJ P\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**].3xE io& 8P7!mm .3xEorJuJ P]J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iindo**x^:Ξ io& 8P!nqm :Ξ|srJ ^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ndox**_&U io& 8PQ!mm &U|srJ _J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBdo**x`&U io& 8P!nrm &U|srJ `J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**aiʠ io& 8P7!mm iʠ|srJ aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiMic**xbf io& 8P!nqm f|srJ bJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &6x**cC io& 8PQ!mm C|srJ cJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBdo**xdC io& 8P!nrm C|srJ dJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &6x**e io& 8P7!mm |srJ eJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiMic**xf' io& 8P!nqm '|srJ 'fJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**gu) io& 8PQ!mm u)|srJ 'gJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBdo**xhu) io& 8P!nrm u)|srJ 'hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**i) io& 8P7!mm )|srJ 'iJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiMic**xjc} io& 8P!nqm c}|srJ #jJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &.x**kP io& 8PQ!mm P|srJ #kJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBdo**xldB io& 8P!nrm dB|srJ #lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**m io& 8P7!mm |srJ #mJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iie**xn> io& 8P!nqm >|srJ nJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**o> io& 8PQ!mm >|srJ oJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB***xp> io& 8P!nrm >|srJ pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**q> io& 8P7!mm >|srJ qJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii****(rD io& 8P! DW"arJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZf6!yƒpd>A) = LogonType A' =TaskName AllLogonTasks**(**sD io& 8PG! DW"asJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ,PreDesktopSwitchTasksd\a**tD io& 8P/! DW"atJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZShellPrepCor**uD io& 8P/! DW"auJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZShellPrept-W**vD io& 8PO! DW"avJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ4AppReadinessPreShellGroups-S**wD io& 8P5! DW"awJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZSkydrivePrepaMic**xD io& 8P5! DW"axJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZSkydrivePrepaMic**yD io& 8P+! DW"ayJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZRunOnceo**zD io& 8P+! DW"azJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZRunOnce**{D io& 8P3! DW"a{J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZActiveSetup**|yD io& 8P3! yDW"a|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZActiveSetupa**}yD io& 8PC! yDW"a}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ(WaitForMSAConnected**~D io& 8PC! DW"a~J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ(WaitForMSAConnectedΨ**D io& 8PG! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ,PreConfigLauncherSync**D io& 8PG! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ,PreConfigLauncherSync**D io& 8PG! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ,PreDesktopSwitchTasks**D io& 8P;! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ PerUserServices**D io& 8P;! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ PerUserServices**D io& 8P7! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZPreShellTasks**D io& 8PE! DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ*RoamingPayloads0and1Q!**- D io& 8PE! - DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ*RoamingPayloads0and1P**- D io& 8PO! - DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ4AppReadinessPreShellGroup**- D io& 8P3! - DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZAppResolver**D io& 8P!mm DW"aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYEYM~q; g&h\>A' =Scenario A! =Flags  s-S**BD io& 8P3! BDo^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZAppResolverc**BD io& 8P7! BDo^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZPreShellTasksell**BD io& 8P9! BDo^ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZShellInitTasksll**BD io& 8P9! BDo^ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZShellInitTasks**D io& 8P7! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZPreStartTasks**D io& 8P;! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ RoamingPayload2**D io& 8PI! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ.AppReadinessLogonGroup***D io& 8P=! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ"UpdatePCSettings**D io& 8P=! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ"UpdatePCSettingsJ-**D io& 8P;! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ RoamingPayload2-**D io& 8PI! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ.AppReadinessLogonGroup-W**D io& 8P7! D D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZPreStartTaskss-S**BD io& 8P7! BD D;g+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZAllLogonTasksell**BD io& 8P;! BD D;g+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ RoamingPayload3r**BD io& 8P;! BD D;g+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ RoamingPayload3l**-iD io& 8P[! -iD D;g+|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ@AppReadinessNotifyLogonCompleteR**-iD io& 8P[! -iD D;g+|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ@AppReadinessNotifyLogonCompleteo**-iD io& 8PE! -iD D;g+XJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ*ARSFirstRunTelemetryroso**-iD io& 8PE! -iD D;g+XJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fQZ*ARSFirstRunTelemetryroso**xfD io& 8P!nqm fD0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ellx**ECD io& 8P!mm ECD0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0f**@D io& 8P!mm D0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0@**D io& 8P!mm D0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**AMD io& 8P!mm AMD0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exell**D io& 8P?!mm D0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowsern30'**7D io& 8PQ!mm 7D0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB**@$D io& 8P!mm $D0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exeiona@**ED io& 8P!mm ED0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c _O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exe**x],D io& 8P!nrm ],D0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &**x**ŝD io& 8P7!mm ŝD0^pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii****0D io& 8P!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 3"E>2>A% =KeyName \Software\Microsoft\Windows\CurrentVersion\Run0**D io& 8Po!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\RunJ-**D io& 8Po!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runs-S**HD io& 8P!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںy_,ں # >2>A% =Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorungPayH**pD io& 8P !%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.m.C HXOagbV>A =PID A% =Command tlC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunp**D io& 8P!!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںy"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologins**sD io& 8P)!%% sD0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologindo**sD io& 8Po!%% sD0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runoso**D io& 8Po!%% D0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runs-S**D io& 8P!%% D0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںy"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"***zD io& 8P!%% zD0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.p"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**zD io& 8P!%% zD0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںy"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"***D io& 8Pw!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOncem**D io& 8Pw!%% D0^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational dSoftware\Microsoft\Windows\CurrentVersion\RunOnce**YSGD io& 8P!%% YSGD0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m."D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**(YSGD io& 8P!%% YSGD0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںy"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunJ-(**0pD io& 8P!%% pD0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m. "C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun-S0**pD io& 8Po!%% pD0^,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational \Software\Microsoft\Windows\CurrentVersion\Runi**xf- E io& 8P!nqm f- E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**E io& 8P!mm E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *:start.bat - _wce_ (2)D:\rfid\Sip2server\start.bata**wE io& 8P!mm wE|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batr** E io& 8P!mm E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe -**MbE io& 8P?!mm MbE|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowserram**xbE io& 8P!nrm bE|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &QRx**E io& 8P7!mm E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x`+E io& 8P!nqm `+E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &istx**LE io& 8P!mm LE|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batc**'E io& 8P!mm 'E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exell**֜E io& 8P?!mm ֜E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowserQR**xÉE io& 8P!nrm ÉE|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & xx**39E io& 8P7!mm 39E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xS=E io& 8P!nqm S=E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &es x**x(?E io& 8P!nrm (?E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &QRx**?E io& 8P7!mm ?E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiMic**x" #E io& 8P!nqm " #E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &8x**xZ"#E io& 8P!nrm Z"#E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &on\x**8"#E io& 8P7!mm 8"#E|s^ҟ^$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii"C**xjE io& 8P!nqm jE|s^F"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &*x**kE io& 8PQ!mm kE|s^F"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB**xkE io& 8P!nrm kE|s^F"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &on\xn& io& 8P8PMicrosoft-Windows-Shell-Core/Operational 1ctdows-Shell-Core/Operational 1c5nal ElfChnk]](bWC">f=f?mMF v)qnQt &**lE io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P!mm lE|s^F"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}J>>D EventDataACfoData#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached iiCor**<ܟ.] io& 8P9!nqm <ܟ.]W"a^)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &| p)c>**Xݟ.] io& 8P!mm ݟ.]W"a^)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c 1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags "Firefox308046B0AF4A39CB X**xݟ.] io& 8P!nrm ݟ.]W"a^)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ݇_x**=8ޟ.] io& 8P7!mm =8ޟ.]W"a^)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iid\a**(f io& 8P! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)f6!yƒpd>A)f= LogonType A'f=TaskName AllLogonTasksI(**f io& 8PG! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f),PreDesktopSwitchTasks**f io& 8P/! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)ShellPrep=**f io& 8P/! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)ShellPrep!K**f io& 8PO! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)4AppReadinessPreShellGroupndo**f io& 8P5! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)SkydrivePrepmm**f io& 8P5! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)SkydrivePrep**f io& 8P+! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)RunOnce**f io& 8P+! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)RunOnce**f io& 8P3! fW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)ActiveSetupu**Ef io& 8P3! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)ActiveSetup**Ef io& 8PC! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)(WaitForMSAConnected\**Ef io& 8PC! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)(WaitForMSAConnectedn**Ef io& 8PG! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f),PreConfigLauncherSyncera**Ef io& 8PG! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f),PreConfigLauncherSync/Op**Ef io& 8PG! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f),PreDesktopSwitchTasksJ-**Ef io& 8P;! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f) PerUserServices-**Ef io& 8P;! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f) PerUserServiceso**Ef io& 8P7! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)PreShellTasks!**Ef io& 8PE! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)*RoamingPayloads0and1ient**Ef io& 8PE! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)*RoamingPayloads0and10EF-**Ef io& 8PO! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)4AppReadinessPreShellGroupQR**Ef io& 8P3! EfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)AppResolverȘ**sf io& 8P!mm sfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYi8EYM~q; g&h\>A'f=Scenario A!f=Flags  t-W**sf io& 8P3! sfo ;?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)AppResolvero**sf io& 8P7! sfo ;?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)PreShellTasksCor**sf io& 8P9! sfo ;?PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)ShellInitTasksdo**sf io& 8P9! sfo ;?PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)ShellInitTasksat**wf io& 8P7! wfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)PreStartTasksrat**wf io& 8P;! wfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f) RoamingPayload2i**wf io& 8PI! wfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f).AppReadinessLogonGroup**wf io& 8P=! wfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)"UpdatePCSettings****Fzf io& 8P=! FzfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)"UpdatePCSettings**Fzf io& 8P;! FzfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f) RoamingPayload2**Fzf io& 8PI! FzfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f).AppReadinessLogonGroup**Fzf io& 8P7! FzfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)PreStartTasks**Fzf io& 8P7! FzfW"PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)AllLogonTasksm**Fzf io& 8P;! FzfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f) RoamingPayload3**Fzf io& 8P;! FzfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f) RoamingPayload3s**Fzf io& 8P[! FzfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)@AppReadinessNotifyLogonComplete**Fzf io& 8P[! FzfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)@AppReadinessNotifyLogonCompletel**Fzf io& 8PE! FzfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)*ARSFirstRunTelemetryws-S**Fzf io& 8PE! FzfW"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f)*ARSFirstRunTelemetryft-W**x3f io& 8P!nqm 3fxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & Corx**|f io& 8P!mm |fxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0do**@"f io& 8P!mm "fxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0@**f io& 8P!mm fxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**Bf io& 8P!mm Bfxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe**Bf io& 8P?!mm Bfxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**Bf io& 8PQ!mm Bfxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB**@hf io& 8P!mm hfxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exel f@**\Tf io& 8P!mm \Tfxr ;B,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c _O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exe**x ¶f io& 8P!nrm ¶fxr ;B, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x** f io& 8P7!mm fxr ;B, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**0 nX}f io& 8P!%% nX}fxr ;B J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qn3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Run0** nX}f io& 8Po!%% nX}fxr ;B J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qn\Software\Microsoft\Windows\CurrentVersion\Runoso** nX}f io& 8Po!%% nX}fxr ;B J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qn\Software\Microsoft\Windows\CurrentVersion\RunCor**H]'g io& 8P!%% ]'go ;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQt_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunviceH**pj'g io& 8P !%% j'go ;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.vi8m.C HXOagbV>Af=PID A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun*p**j'g io& 8P!!%% j'go ;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQt"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin**.'g io& 8P)!%% .'go ;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.vH"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin-W**.'g io& 8Po!%% .'go ;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qn\Software\Microsoft\Windows\CurrentVersion\RunCor**'g io& 8Po!%% 'go ;< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qn\Software\Microsoft\Windows\CurrentVersion\Runell**'g io& 8P!%% 'go ;< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQt"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"-S**x#(g io& 8P!%% x#(g_b OFqi< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.v"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"***x#(g io& 8P!%% x#(g_b OFqi< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQt"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"8**ͨh(g io& 8P!%% ͨh(g_b OFqi< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.vL"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"ic**(ͨh(g io& 8P!%% ͨh(g_b OFqi< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQt"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunat(**% k(g io& 8Pw!%% % k(g_b OFqiJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qndSoftware\Microsoft\Windows\CurrentVersion\RunOncesLo**% k(g io& 8Pw!%% % k(g_b OFqiJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qndSoftware\Microsoft\Windows\CurrentVersion\RunOnce**0~(g io& 8P!%% ~(g_b OFqi< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.v"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun0**~(g io& 8Po!%% ~(g_b OFqi< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qn\Software\Microsoft\Windows\CurrentVersion\Runt-W**xYJg io& 8P!nqm YJg vf vf@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**'vJg io& 8PQ!mm 'vJg vf vf@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBJ-**x<Jg io& 8P!nrm <Jg vf vf@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & Dx** Jg io& 8P7!mm Jg vf vf@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiD**x! eM8a io& 8P!nqm eM8a|s ;(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & Px**"$P8a io& 8P!mm $P8a|s ;("J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c _O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exeJ-**x#$P8a io& 8P!nrm $P8a|s ;(#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & !x**$P8a io& 8P!mm P8a|s ;($J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0so**@%P8a io& 8P!mm P8a|s ;(%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0l &@**&R8a io& 8P7!mm R8aW" ;&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%igicr**x'D;a io& 8P!nqm D;aW" ;'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ellx**(d;a io& 8P!mm d;aW" ;(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0***@)ٓ;a io& 8P!mm ٓ;aW" ;)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0-Cor@**@*s;a io& 8P!mm s;aW" ;*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exehell@**+;a io& 8P!mm ;aW" ;+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c _O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exeA39**x,9;a io& 8P!nrm 9;aW" ;,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & 1x**-5;a io& 8P7!mm 5;aW" ;-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii***x.[h io& 8P!nqm [h|s ;Q.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**/h io& 8PQ!mm h|s ;Q/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBP**x0h io& 8P!nrm h|s ;Q0J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**1Wh io& 8P7!mm Wh|s ;Q1J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiros**x2 r 8 io& 8P!nqm r 8|s ;Q2J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ndox**38 io& 8PQ!mm 8|s ;Q3J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB1QR**48 io& 8PQ!mm 8|s ;Q4J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB-S**x58 io& 8P!nrm 8|s ;Q5J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**6 U8 io& 8P7!mm U8';T6J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii%**x7T8 io& 8P!nqm T8 vf mvf|-7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & *x**8U8 io& 8PQ!mm U8 vf mvf|-8J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB1in**9W8 io& 8PQ!mm W8 vf mvf|-9J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBAp**x:W8 io& 8P!nrm W8 vf mvf|-:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**;͑Y8 io& 8P7!mm ͑Y8 vf mvf|-;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**x<c io& 8P!nqm c|s ; ><J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & s-Sx**=e io& 8PQ!mm e|s ; >=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBil**x>5e io& 8P!nrm 5e|s ; >>J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ndox**?؃e io& 8P7!mm ؃e|s ; >?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii***x@M]Z io& 8P!nqm M]Z|s ;GR@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**AE`Z io& 8P!mm E`Z|s ;GRAJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**B+`Z io& 8P!mm +`Z|s ;GRBJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe YS**C~aZ io& 8P?!mm ~aZ|s ;GRCJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowsero&**xDaZ io& 8P!nrm aZ|s ;GRDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x86x**EaZ io& 8P7!mm aZ|s ;GREJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiMic**xF?c io& 8P!nqm ?c|s ;GRFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**Gƻc io& 8P!mm ƻc|s ;GRGJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bats**Hcc io& 8P!mm cc|s ;GRHJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jspR**IVؼc io& 8P!mm Vؼc|s ;GRIJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe-W**Jtc io& 8P?!mm tc|s ;GRJJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser***xK̛c io& 8P!nrm ̛c|s ;GRKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**Lc io& 8P7!mm c|s ;GRLJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%ii**xMX io& 8P!nqm X|s ;nRMJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**NDX io& 8PQ!mm DX|s ;nRNJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB**xOkX io& 8P!nrm kX|s ;nROJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**P,X io& 8P7!mm ,X|s ;nRPJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iitar**xQy_8 io& 8P!nqm y_8|s ;n]QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & onax**Ra8 io& 8PQ!mm a8|s ;n]RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CBic**xS'a8 io& 8P!nrm 'a8|s ;n]SJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ndox**Ta8 io& 8P7!mm a8|s ;n]TJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiQR**xUZ6 io& 8P!nqm Z6|s ;nNUJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ndox**VPZ6 io& 8PQ!mm PZ6|s ;nNVJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c "Firefox308046B0AF4A39CB-W**xWwZ6 io& 8P!nrm wZ6|s ;nNWJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & t-Wx**XZ6 io& 8P7!mm Z6|s ;nNXJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iit-W**xYH? io& 8P!nqm H?|s ;5,XYJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & t-Wx**ZH? io& 8P!mm H?|s ;5,XZJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**[fH? io& 8P!mm fH?|s ;5,X[J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jsp**\)H? io& 8P!mm )H?|s ;5,X\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe-W**]H? io& 8P?!mm H?|s ;5,X]J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser/Opational 1c5nal ElfChnk^^p@;:f> =f?mMFUs kyq& **h^H? io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8PU!nrm H?|s ;5,X^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c.">D EventDatah**_H? io& 8P}!mm H?|s ;5,X_J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% :R%&Gm3}.">AC oData#= ItemsExisting A+ = ItemsAdded A/ != ItemsRemoved A/ != ItemsUpdated A- = ItemsCached ii**(`J io& 8P! JW"h0`J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f f6!yƒpd>A) = LogonType A' =TaskName AllLogonTasksefo(**aJ io& 8PG! JW"h0aJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasks****bJ io& 8P/! JW"h0bJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrepd\a**cJ io& 8P/! JW"h0cJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrepA**dJ io& 8PO! JW"h0dJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGroupt-W**eJ io& 8P5! JW"h0eJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePrepaMic**fJ io& 8P5! JW"h0fJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePreproso**gJ io& 8P+! JW"h0gJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOncec**h#J io& 8P+! #JW"h0hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOnceS**i#J io& 8P3! #JW"h0iJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupo**jJ io& 8P3! Joh0jJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupW**kJ io& 8PC! Joh0kJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedl**lJ io& 8PC! Joh0lJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedR**mJ io& 8PG! Joh0mJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreConfigLauncherSynct-W**nJ io& 8PG! Joh0nJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreConfigLauncherSyncell**oJ io& 8PG! Joh0oJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasksCor**pJ io& 8P;! Joh0pJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  PerUserServicesl**qJ io& 8P;! Joh0qJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  PerUserServiceso**rJ io& 8P7! Joh0rJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreShellTasksoso**sJ io& 8PE! Joh0sJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *RoamingPayloads0and1roso**tTJ io& 8PE! TJoh0tJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *RoamingPayloads0and1indo**uTJ io& 8PO! TJoh0uJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGroupCor**vTJ io& 8P3! TJoh0vJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AppResolverl**wJ io& 8P!mm Joh0wJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EY2EYM~q; g&h\>A' =Scenario A! =Flags  oad**xJ io& 8P3! Jooh0xJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AppResolverp**yJ io& 8P7! Jooh0yJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreShellTasks f**zJ io& 8P9! JoohzJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellInitTasks**{J io& 8P9! Jooh{J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellInitTasks30'**|J io& 8P7! JW"h|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreStartTasksQR**}J io& 8P;! JW"h}J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload2R**~J io& 8PI! JW"h~J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f .AppReadinessLogonGroupso**J io& 8P=! JW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f "UpdatePCSettingsft-W**J io& 8P=! JW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f "UpdatePCSettingsindo**J io& 8P;! JW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload2o**J io& 8PI! JW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f .AppReadinessLogonGroupdo**J io& 8P7! JW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreStartTaskst-W**iHJ io& 8P7! iHJW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AllLogonTasksoso**iHJ io& 8P;! iHJW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload3o**iHJ io& 8P;! iHJW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload3R**iHJ io& 8P[! iHJW"h|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f @AppReadinessNotifyLogonCompleteo**iHJ io& 8P[! iHJW"h|J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f @AppReadinessNotifyLogonCompletep**iHJ io& 8PE! iHJW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *ARSFirstRunTelemetryiona**joJ io& 8PE! joJW"hJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *ARSFirstRunTelemetry)**x]J io& 8P!nqm ]J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wx**X0J io& 8PI!mm X0J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU1cᆫ}Q4?A_|>A =Name A! =AppID A! =Flags  ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}08**@1J io& 8P!mm 1J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUTeu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0hell@**4J io& 8P!mm 4J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**r5J io& 8P!mm r5J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUfVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jsp**5J io& 8P!mm 5J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUt_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exedo**O6J io& 8P?!mm O6J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU gOmȉhVTSBrowserMic**}6J io& 8PQ!mm }6J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB B**@7J io& 8P!mm 7J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUTeu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exeroso@** 9J io& 8P!mm 9J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exe**x<9J io& 8P!nrm <9J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**d>J io& 8P7!mm d>J0ohJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii**0J io& 8P!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational k3"E>2>A% =KeyName \Software\Microsoft\Windows\CurrentVersion\Runhell0**J io& 8Po!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational k\Software\Microsoft\Windows\CurrentVersion\Runndo**J io& 8Po!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational k\Software\Microsoft\Windows\CurrentVersion\Runoso**HJ io& 8P!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںyq_,ں # >2>A% =Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun-CorH**pJ io& 8P !%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.s2m.C HXOagbV>A =PID A% =Command t C:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunm p**J io& 8P!!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںyq"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin86**J io& 8P)!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.s "C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinsb**J io& 8Po!%% JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational k\Software\Microsoft\Windows\CurrentVersion\Runrs\**_J io& 8Po!%% _JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational k\Software\Microsoft\Windows\CurrentVersion\Runoso**7J io& 8P!%% 7JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںyq"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"or**>5 J io& 8P!%% >5 JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.s"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"do**>5 J io& 8P!%% >5 JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںyq"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"do**h^J io& 8Pw!%% h^JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational kdSoftware\Microsoft\Windows\CurrentVersion\RunOncen30'**h^J io& 8Pw!%% h^JToh J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational kdSoftware\Microsoft\Windows\CurrentVersion\RunOncendo**!J io& 8P!%% !JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.s"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"do**(!J io& 8P!%% !JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںyq"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorundo(**0J io& 8P!%% JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.s!"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun-S0**J io& 8Po!%% JToJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational k\Software\Microsoft\Windows\CurrentVersion\Runndo**xT6J io& 8P!nqm T6J|soh\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**7J io& 8PQ!mm 7J|soh\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1**9J io& 8PQ!mm 9J|soh\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB **x9J io& 8P!nrm 9J|soh\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**:J io& 8P7!mm :J h\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% iim**xYb;K io& 8P!nqm Yb;K|so:h#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**[kc;K io& 8PQ!mm [kc;K|so:h#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1(**p@e;K io& 8PQ!mm p@e;K|so:h#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB**xp@e;K io& 8P!nrm p@e;K|so:h#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Wf;K io& 8P7!mm Wf;Kh#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii6A-**xL io& 8P!nqm L|soоoh0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Corx**|$L io& 8PQ!mm |$L|soоoh0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBJ-**x|$L io& 8P!nrm |$L|soоoh0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**L io& 8P7!mm L|soоoh0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% iiJ-**x&L io& 8P!nqm &L|so7h J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &o&x**9(&L io& 8PQ!mm 9(&L|so7h J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1Su**h$&L io& 8PQ!mm h$&L|so7h J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBat**xh$&L io& 8P!nrm h$&L|so7h J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &W"x**@&L io& 8P7!mm @&L h J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ii**xbO io& 8P!nqm bOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**HeO io& 8P!mm eOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU$License Agreement{6D809377-6AF0-444B-8957-A3773F02200E}\PremiumSoft\Navicat Premium\license.txt *H**H^fO io& 8P!mm ^fOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU Navicat Premium{6D809377-6AF0-444B-8957-A3773F02200E}\PremiumSoft\Navicat Premium\navicat.exe08046H**PfO io& 8P!mm fOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU.Navicat Support Center{6D809377-6AF0-444B-8957-A3773F02200E}\PremiumSoft\Navicat Premium\support.url P**X:fO io& 8P!mm :fOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU(Online Registration{6D809377-6AF0-444B-8957-A3773F02200E}\PremiumSoft\Navicat Premium\registration.url X**X[hO io& 8P!mm [hOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU4Uninstall Navicat Premium{6D809377-6AF0-444B-8957-A3773F02200E}\PremiumSoft\Navicat Premium\unins000.exe X**HEiO io& 8P!mm EiOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU Navicat Premium{6D809377-6AF0-444B-8957-A3773F02200E}\PremiumSoft\Navicat Premium\navicat.exeft-WH**xliO io& 8P!nrm liOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wx**/aoO io& 8P7!mm /aoOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% int-W**x)۟O io& 8P!nqm )۟OW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &t-Wx**xvO io& 8P!nrm vOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ndox**LO io& 8P7!mm LOW"h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% nnMic**xH"O io& 8P!nqm H"OH 丕Hh8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Micx**(wO io& 8P!nm wOH 丕Hh8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational DڱD 2.}>A' =Filename A+ = SchemaType A) = ErrorCode A3 %=Failure reason  C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xmlNULLt-W(**lO io& 8P!mm lOH 丕Hh8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cULFirefox yOmȉ308046B0AF4A39CB;PrivateBrowsingAUMID1aMic**xO io& 8P!nrm OH 丕Hh8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Micx**FO io& 8P7!mm FOH 丕Hh8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% noMic**:yO io& 8P7! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AllLogonTasksell**:yO io& 8PG! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasksndo**:yO io& 8P/! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrepm**:yO io& 8P/! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrepP**:yO io& 8PO! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGroup**:yO io& 8P5! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePrep**:yO io& 8P5! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePreproso**:yO io& 8P+! :yOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOnce**U8zO io& 8P+! U8zOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOnce**U8zO io& 8P3! U8zOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupr**SBO io& 8P3! SBOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupW**SBO io& 8PC! SBOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedW**qiO io& 8PC! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedt**qiO io& 8PG! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreConfigLauncherSync &ΰ**qiO io& 8PG! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreConfigLauncherSync0AF**qiO io& 8PG! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasks**qiO io& 8P;! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  PerUserServices**qiO io& 8P;! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  PerUserServices**qiO io& 8P7! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreShellTasks**qiO io& 8PE! qiOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *RoamingPayloads0and18**,O io& 8PE! ,OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *RoamingPayloads0and1!**,O io& 8PO! ,OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGroup**,O io& 8P3! ,OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AppResolver**nłO io& 8P!mm nłOW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EY2 NX**~O io& 8P3! ~Oo{DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AppResolver**~O io& 8P7! ~Oo{DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreShellTasks***~O io& 8P9! ~Oo{D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellInitTasks**~O io& 8P9! ~Oo{D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellInitTasks***D#O io& 8P7! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreStartTaskstra**D#O io& 8P;! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload2rOperational  io& 8P 1c5nal ElfChnkv v A*>f=f?mMF! ɏi.I4&+**D#O io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ff6!yƒ>D EventDataA;foData= LogonType A'f=TaskName .AppReadinessLogonGroup**D#O io& 8P=! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettings!=**D#O io& 8P=! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingsaMic**D#O io& 8P;! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2"**D#O io& 8PI! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupW"**D#O io& 8P7! D#OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasks**#O io& 8P7! #OW"6D,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasksh**#O io& 8P;! #OW"6DTJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3**#O io& 8P;! #OW"6DTJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3**#O io& 8P[! #OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**#O io& 8P[! #OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompleteo**#O io& 8PE! #OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetryhell**#O io& 8PE! #OW"6DJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry|DQR**QxO io& 8P9!nqm QxOW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c>ic**ÔO io& 8PC!mm ÔOW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! 1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**O io& 8P!mm OW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jsp**VPO io& 8P!mm VPOW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe30'**O io& 8P?!mm OW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!  gOmȉhVTSBrowserCor**RO io& 8PQ!mm ROW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CBic**xO io& 8P!nrm OW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &s-Sx**>O io& 8Pk!mm >OW"6D<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached oo**0 O io& 8P!%% OW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Runws-S0** O io& 8Po!%% OW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\RunQR** O io& 8Po!%% OW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Run/Op**H )zO io& 8P!%% )zOW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunolveH**p ՉO io& 8P !%% ՉOW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6m.C HXOagbV>Af=PID A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun*p** ՉO io& 8P!!%% ՉOW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin** zʏO io& 8P)!%% zʏOW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6 "C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinor** zʏO io& 8Po!%% zʏOW"6D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Runs-S** f0O io& 8Po!%% f0OW"6|  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Runona** BO io& 8P!%% BOW"6| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"** O io& 8P!%% OW"6| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"** O io& 8P!%% OW"6| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"*** Rq O io& 8Pw!%% Rq O0D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.dSoftware\Microsoft\Windows\CurrentVersion\RunOncen30'** Rq O io& 8Pw!%% Rq O0D J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.dSoftware\Microsoft\Windows\CurrentVersion\RunOnceCor** M~ O io& 8P!%% M~ O0|  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**( M~ O io& 8P!%% M~ O0|  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun(**0  O io& 8P!%%  O0|  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6!"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorundo0**  O io& 8Po!%%  O0|  J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\RunQR**x  FV io& 8P!nqm  FV|s{D% J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox** FV io& 8PQ!mm FV|s{D% J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CB1ic**  FV io& 8PQ!mm  FV|s{D% J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CB**x  FV io& 8P!nrm  FV|s{D% J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &EF-x** sFV io& 8P7!mm sFVW"6{D% J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+ooell**x \ io& 8P!nqm \|s{ D- J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &8x** \ io& 8PQ!mm \|s{ D- J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CB1&** \ io& 8PQ!mm \|s{ D- J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CB\K**x Ī\ io& 8P!nrm Ī\|s{ D- J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx** 1\ io& 8P7!mm 1\W"6{D- J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+oo/Op**x md io& 8P!nqm md8{D@0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &QRx** md io& 8PQ!mm md8{D@0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CB **x Ⱥ md io& 8P!nrm Ⱥ md8{D@0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &.exx** > md io& 8P7!mm > md8{D@0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+ood>** z3h io& 8P7! z3hW"@!p| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks**! z3h io& 8PG! z3hW"@!p|! J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks\**" U{3h io& 8P/! U{3hW"@!p|" J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrepndo**# U{3h io& 8P/! U{3hW"@!p|# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPreps-S**$ U{3h io& 8PO! U{3hW"@!p|$ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupMic**% U{3h io& 8P5! U{3hW"@!p|% J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrepio&**& U{3h io& 8P5! U{3hW"@!p|& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrep **' U{3h io& 8P+! U{3hW"@!p|' J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOnceo**( |3h io& 8P+! |3hW"@!p|( J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOncel**) |3h io& 8P3! |3hW"@!p|) J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetups*** #C3h io& 8P3! #C3hW"@!p|* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetup**+ #C3h io& 8PC! #C3hW"@!p|+ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnected**, 8j3h io& 8PC! 8j3hW"@!p|, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnected**- 8j3h io& 8PG! 8j3hW"@!p|- J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSyncte\**. 8j3h io& 8PG! 8j3hW"@!p|. J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSyncgra**/ 8j3h io& 8PG! 8j3hW"@!p|/ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTaskss-S**0 8j3h io& 8P;! 8j3hW"@!p|0 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServiceso**1 8j3h io& 8P;! 8j3hW"@!p|1 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServices**2 8j3h io& 8P7! 8j3hW"@!p|2 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasks**3 8j3h io& 8PE! 8j3hW"@!p|3 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1do**4 M?3h io& 8PE! M?3hW"@!p|4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1ay\S**5 M?3h io& 8PO! M?3hW"@!p|5 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupell**6 M?3h io& 8P3! M?3hW"@!p|6 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolver**7 N3h io& 8P!mm N3hW"@!p|7 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYɏ6EYM~q; g&h\>A'f=Scenario A!f=Flags  oso**8 N3h io& 8P3! N3ho 7p|8 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolverl**9 N3h io& 8P7! N3ho 7p|9 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTaskst-W**: N3h io& 8P9! N3ho 7p: J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasks***; N3h io& 8P9! N3ho 7p; J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasks-S**< GiW 3h io& 8P7! GiW 3ho 7p< J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTaskss-S**= GiW 3h io& 8P;! GiW 3ho 7p= J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2c**> GiW 3h io& 8PI! GiW 3ho 7p> J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupQR**? GiW 3h io& 8P=! GiW 3ho 7p? J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettings-Cor**@ GiW 3h io& 8P=! GiW 3ho 7p@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingsindo**A GiW 3h io& 8P;! GiW 3ho 7pA J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2o**B GiW 3h io& 8PI! GiW 3ho 7pB J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroup1**C GiW 3h io& 8P7! GiW 3ho 7pC J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasks/Op**D ,X 3h io& 8P7! ,X 3ho 7pD J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks**E ,X 3h io& 8P;! ,X 3ho 7pE J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3**F ,X 3h io& 8P;! ,X 3ho 7pF J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3F**G ,X 3h io& 8P[! ,X 3ho 7pG J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete9**H ,X 3h io& 8P[! ,X 3ho 7pH J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**I ,X 3h io& 8PE! ,X 3ho 7pI J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry**J SX 3h io& 8PE! SX 3ho 7pJ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetrymm**xK @|}3h io& 8P!nqm @|}3hxr >pK J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &emix**L 3h io& 8P!mm 3hxr >pL J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat0**M h3h io& 8P!mm h3hxr >pM J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jsp**N 3h io& 8P!mm 3hxr >pN J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeic**O Z3h io& 8P?!mm Z3hxr >pO J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!  gOmȉhVTSBrowser8**xP kH3h io& 8P!nrm kH3hxr >pP J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &957x**Q 23h io& 8P7!mm 23hxr >pQ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+oot-W**R 3h io& 8Po!%% 3hxr >p R J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Run**S 3h io& 8Po!%% 3hxr >p S J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\RunMic**T 3h io& 8Po!%% 3hxr >p T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Run/Op**U 자$3h io& 8P!%% 자$3ho @p U J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun**V k{d&3h io& 8P!%% k{d&3h=bƹOݒip V J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun!**W k{d&3h io& 8P!!%% k{d&3h=bƹOݒip W J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinna**X oj&3h io& 8P)!%% oj&3h=bƹOݒip X J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.60""C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinso**Y oj&3h io& 8Po!%% oj&3h=bƹOݒip Y J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Runn30'**Z )Ks&3h io& 8Po!%% )Ks&3h=bƹOݒiD"H"Z J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\Run :R**[ 5t&3h io& 8P!%% 5t&3h=bƹOݒiD"H"[ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"&**\ &3h io& 8P!%% &3h=bƹOݒiD"H"\ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6""C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**] $&3h io& 8P!%% $&3h=bƹOݒiD"H"] J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"do**^ =%'3h io& 8Pw!%% =%'3h=bƹOݒip ^ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.dSoftware\Microsoft\Windows\CurrentVersion\RunOncendo**_ =%'3h io& 8Pw!%% =%'3h=bƹOݒip _ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.dSoftware\Microsoft\Windows\CurrentVersion\RunOncerat**` BK'3h io& 8P!%% BK'3h=bƹOݒiD"H"` J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6#"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**(a BK'3h io& 8P!%% BK'3h=bƹOݒiD"H"a J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںI4"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun(**0b V'3h io& 8P!%% V'3h=bƹOݒiD"H"b J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.6%"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunat0**c V'3h io& 8Po!%% V'3h=bƹOݒiD"H"c J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational i.\Software\Microsoft\Windows\CurrentVersion\RunW**xd {0uI3h io& 8P!nqm {0uI3h]k2hnq2hpxd J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &(x**e bvI3h io& 8PQ!mm bvI3h]k2hnq2hpxe J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CBFo**xf {vI3h io& 8P!nrm {vI3h]k2hnq2hpxf J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &ratx**g SwI3h io& 8P7!mm SwI3h]k2hnq2hpxg J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+ooCor**xh ;s| io& 8P!nqm ;s||s 4p+h J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &QRx**i Rw| io& 8PQ!mm Rw||s 4p+i J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CBic**xj kw| io& 8P!nrm kw||s 4p+j J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &s-Sx**k lx| io& 8P7!mm lx||s 4p+k J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+oos-S**xl 0\ io& 8P!nqm 0\|s .p5l J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &*x**m b0\ io& 8PQ!mm b0\|s .p5m J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c! "Firefox308046B0AF4A39CBic**xn 0\ io& 8P!nrm 0\|s .p5n J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**o 10\ io& 8P7!mm 10\|s .p5o J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%+oo**p QՄI io& 8P7! QՄIW"_&p J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks nŠ**q QՄI io& 8PG! QՄIW"_&q J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks**r QՄI io& 8P/! QՄIW"_&r J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrep**s QՄI io& 8P/! QՄIW"_&s J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrep**t QՄI io& 8PO! QՄIW"_&t J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupJ-**u QՄI io& 8P5! QՄIW"_&u J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrepJ-**v QՄI io& 8P5! QՄIW"_&v J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrepJ-*Microsoft io& 8Ps- QՄIW"_&w J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fnal ElfChnkw !w !@5<P>f=f?mMF!FZRXD&O**w QՄI io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P! QՄIW"_&w J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ff6!yƒ>D EventDataA;foData= LogonType A'f=TaskName RunOnceess**x QՄI io& 8P+! QՄIW"_&x J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOnce**y QՄI io& 8P3! QՄIW"_&y J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetupa**z hI io& 8P3! hIW"_&z J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetupp**{ hI io& 8PC! hIW"_&{ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnectedt**| hI io& 8PC! hIW"_&| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnectedp**} hI io& 8PG! hIW"_&} J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSyncona**~ hI io& 8PG! hIW"_&~ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSync** hI io& 8PG! hIW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasksRo** hI io& 8P;! hIW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServicesp** hI io& 8P;! hIW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServicesa** hI io& 8P7! hIW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasksell** hI io& 8PE! hIW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1hell** "I io& 8PE! "IW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1hell** "I io& 8PO! "IW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGrouprat** "I io& 8P3! "IW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolver** z#I io& 8P!mm z#IW"_& J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EY#EYM~q; g&h\>A'f=Scenario A!f=Flags  ** z#I io& 8P3! z#IoE? J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolvere** z#I io& 8P7! z#IoE? J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasksSBr** z#I io& 8P9! z#IoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksfo** z#I io& 8P9! z#IoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasks** D5J io& 8P7! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksA** D5J io& 8P;! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2** D5J io& 8PI! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupsi** D5J io& 8P=! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingsicro** D5J io& 8P=! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingsiona** D5J io& 8P;! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2W** D5J io& 8PI! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupW"** D5J io& 8P7! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTaskscen** D5J io& 8P7! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasksona** D5J io& 8P;! D5JoE?H J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3** D5J io& 8P;! D5JoE?H J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3g** D5J io& 8P[! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompleter** D5J io& 8P[! D5JoE?P J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompleteo** D5J io& 8PE! D5JoE?T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetryen30'** D5J io& 8PE! D5JoE?T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry** > O io& 8P9!nqm > OxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &D&| p)c>** `O io& 8PC!mm `OxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batl** |O io& 8P!mm |OxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!FfVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jspR** 1O io& 8P!mm 1OxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!Ft_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exedo** 1O io& 8P?!mm 1OxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F gOmȉhVTSBrowserMic**x AO io& 8P!nrm AOxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** O io& 8Pk!mm OxrE@ J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%O:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached oo-**0 4QQ io& 8P!%% 4QQxrET J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational R3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\RunaMic0** 4QQ io& 8Po!%% 4QQxrET J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational R\Software\Microsoft\Windows\CurrentVersion\Run"** 4QQ io& 8Po!%% 4QQxrET J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational R\Software\Microsoft\Windows\CurrentVersion\Run046**H ?Y io& 8P!%% ?YoE`ET J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںX_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunH**p $ io& 8P !%% $0UbKKp~T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Z#m.C HXOagbV>Af=PID A%f=Command tdC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun*p** $ io& 8P!!%% $0UbKKp~T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںX"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinso** X io& 8P)!%% X0UbKKp~T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Z "C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin** X io& 8Po!%% X0UbKKp~T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational R\Software\Microsoft\Windows\CurrentVersion\RunP** l io& 8Po!%% l0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational R\Software\Microsoft\Windows\CurrentVersion\RunMic** ␖ io& 8P!%% ␖0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںX"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"ic** 8Yؖ io& 8P!%% 8Yؖ0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Z "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"*** ||ږ io& 8P!%% ||ږ0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںX"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"8** +x. io& 8P!%% +x.0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Z|"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"J-**( +x. io& 8P!%% +x.0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںX"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunOp(** e4R io& 8Pw!%% e4R0UbKKp~T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational RdSoftware\Microsoft\Windows\CurrentVersion\RunOncesPr** e4R io& 8Pw!%% e4R0UbKKp~T J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational RdSoftware\Microsoft\Windows\CurrentVersion\RunOnce**0 -܆ io& 8P!%% -܆0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Z"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun0** -܆ io& 8Po!%% -܆0UbKKp~| J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational R\Software\Microsoft\Windows\CurrentVersion\Runell**x . io& 8P!nqm .0UbKKp~l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dt-Wx** ^0 io& 8P!mm ^00UbKKp~l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exerat**x sW io& 8P!nrm sW0UbKKp~l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Ds-Sx** ̵ io& 8P!mm ̵0UbKKp~l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F ~xS}TeuMicrosoft.AutoGenerated.{28E44BCA-F87F-FB6A-A0B6-442A746C782C}0te**@ ̵ io& 8P!mm ̵0UbKKp~l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!FTeu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0 8j@** ט io& 8P7!mm טW"_&l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Oom!**x ' io& 8P!nqm ' l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** I+ io& 8P!mm I+ l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F~xS}TeuMicrosoft.AutoGenerated.{88F46F70-A977-00A4-64FD-C38ABF4C1339}0**@ ׾+ io& 8P!mm ׾+ l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0at@**@ 3[, io& 8P!mm 3[, l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe@**x 3[, io& 8P!nrm 3[, l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &D5 x** i/ io& 8P7!mm i/ l# J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Oooup**x  io& 8P!nqm  x J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx**  io& 8PQ!mm  x J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB**x ; io& 8P!nrm ; x J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &DCorx** 갨 io& 8P7!mm 갨 x J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opon30'**x ñ4 io& 8P!nqm ñ4|sE4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dt-Wx** 84 io& 8PQ!mm 84|sE4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBll**x 84 io& 8P!nrm 84|sE4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &DMicx** 4 io& 8P7!mm 4|sE4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%OpoMic**x O io& 8P!nqm O|sE/X* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &D> x**x D'O io& 8P!nrm D'O|sE/X* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &DPx**@ O io& 8P!mm O|sE/X* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F Teu{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe030'@** O io& 8P!mm O|sE/X* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F~xS}TeuMicrosoft.AutoGenerated.{88F46F70-A977-00A4-64FD-C38ABF4C1339}0 ** hO io& 8P7!mm hOW"_&EX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opm.**x O io& 8P!nqm OoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dellx** \O io& 8P!mm \OoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F~xS}Teu܏ zc6RMicrosoft.AutoGenerated.{E5A2023D-B25A-AA7B-0125-241AE9CB6697}0,X **H O io& 8P!mm OoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!FTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0J-H**H }O io& 8P!mm }OoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!FTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exel fH** XO io& 8P!mm XOoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exelet**x O io& 8P!nrm OoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** |O io& 8P7!mm |OoEEX* J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opoona**x {1Oo io& 8P!nqm {1Oo|sE J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dt-Wx** 4U2Oo io& 8PQ!mm 4U2Oo|sE J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB11** J*4Oo io& 8PQ!mm J*4Oo|sE J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBic**x 4Oo io& 8P!nrm 4Oo|sE J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &D>x** 7Oo io& 8P7!mm 7OoE J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Oqo**x D io& 8P!nqm D|sE:, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &D**x** D io& 8PQ!mm D|sE:, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1** D io& 8PQ!mm D|sE:, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB**x D io& 8P!nrm D|sE:, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** nD io& 8P7!mm nD, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%OqoWin**x L io& 8P!nqm L|sE:L6 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dellx** D io& 8PQ!mm D|sE:L6 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1so** * io& 8PQ!mm *|sE:L6 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBdo**x * io& 8P!nrm *|sE:L6 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &D8x** c io& 8P7!mm cEL6 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opo" /**x k¹WK io& 8P!nqm k¹WK|sEx4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dellx** RIWK io& 8PQ!mm RIWK|sEx4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB**x gpWK io& 8P!nrm gpWK|sEx4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Doftx** WK io& 8P7!mm WK|sEx4 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opoona**x w io& 8P!nqm w|sE5 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &DCorx** fw io& 8PQ!mm fw|sE5 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1** w io& 8PQ!mm w|sE5 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB8**x w io& 8P!nrm w|sE5 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dmwax** c=w io& 8P7!mm c=wE5 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opotwa**x  io& 8P!nqm |sEE, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &DMicx** Y io& 8PQ!mm Y|sEE, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1-S**  io& 8PQ!mm |sEE, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBD"**x  io& 8P!nrm |sEE, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dautx** jA io& 8P7!mm jAW"_&E, J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Opogra**x pz io& 8P!nqm pz|sE89 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dosox** z io& 8PQ!mm z|sE89 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB**x z io& 8P!nrm z|sE89 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** ͓z io& 8P7!mm ͓z|sE89 J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Ooohp**x (+ io& 8P!nqm (+|sE K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dhpx** ?a+ io& 8PQ!mm ?a+|sE K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1** Y6+ io& 8PQ!mm Y6+|sE K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBll**x Y6+ io& 8P!nrm Y6+|sE K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** A+ io& 8P7!mm A+W"_&EK J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Ooot-W**x Pg- io& 8P!nqm Pg-|sE6K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx** x. io& 8PQ!mm x.|sE6K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1ll** u0 io& 8PQ!mm u0|sE6K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBll**x u0 io& 8P!nrm u0|sE6K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dellx** 1 io& 8P7!mm 1K J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Oooell**x Nϱu io& 8P!nqm Nϱu|sEUB J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &DMicx**!u io& 8PQ!mm u|sEUB!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CB1so**!ݴu io& 8PQ!mm ݴu|sEUB!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBll**x!ݴu io& 8P!nrm ݴu|sEUB!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dosox**!du io& 8P7!mm duB!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%OooJ-**x!Ir: io& 8P!nqm Ir:|sEA!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Dx**!qr: io& 8PQ!mm qr:|sEA!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c!F"Firefox308046B0AF4A39CBJ-N*M io& 8Pt-Windows-Shell-Core/Operational fnal ElfChnk!!!![Tl> =f?mMFUii Aa!g& **h!r: io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8PU!nrm r:|sEA!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &&| p)c.">D EventDatah**!lr: io& 8P}!mm lr:|sEA!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% :R%&Gm3}.">AC oData#= ItemsExisting A+ = ItemsAdded A/ != ItemsRemoved A/ != ItemsUpdated A- = ItemsCached oo***(!"x io& 8P! "x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f f6!yƒpd>A) = LogonType A' =TaskName AllLogonTasksrat(** !"x io& 8PG! "x|swe !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasks** !"x io& 8P/! "x|swe !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrepona** !"x io& 8P/! "x|swe !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrep/Op** !"x io& 8PO! "x|swe !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGrouprat** !"x io& 8P5! "x|swe !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePrep-Cor**!"x io& 8P5! "x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePrepws-S**!"x io& 8P+! "x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOnceW**!"x io& 8P+! "x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOncec**!"x io& 8P3! "x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupR**!'x io& 8P3! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupl**!'x io& 8PC! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedS**!'x io& 8PC! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedW**!'x io& 8PG! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreConfigLauncherSyncell**!'x io& 8PG! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreConfigLauncherSync**!'x io& 8PG! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasks**!'x io& 8P;! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  PerUserServices**!'x io& 8P;! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  PerUserServices**!'x io& 8P7! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreShellTasks**!'x io& 8PE! 'x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *RoamingPayloads0and1***!)x io& 8PE! )x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *RoamingPayloads0and1roso**!)x io& 8PO! )x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGroupt-W**!)x io& 8P3! )x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AppResolverc**!oD,x io& 8P!mm oD,x|swe!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EY2EYM~q; g&h\>A' =Scenario A! =Flags  ndo** !oD,x io& 8P3! oD,xowe  !J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AppResolverW**!!oD,x io& 8P7! oD,xowe !!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreShellTasksMic**"!oD,x io& 8P9! oD,xowe $"!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellInitTasksic**#!oD,x io& 8P9! oD,xowe $#!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellInitTasksic**$!/x io& 8P7! /xowe $$!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreStartTasksMic**%!/x io& 8P;! /xowe $%!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload2c**&!/x io& 8PI! /xowe $&!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f .AppReadinessLogonGroup30'**'!/x io& 8P=! /xowe $'!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f "UpdatePCSettingsws-S**(!/x io& 8P=! /xowe $(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f "UpdatePCSettingsindo**)!/x io& 8P;! /xowe $)!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload2o***!/x io& 8PI! /xowe $*!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f .AppReadinessLogonGroupdo**+!/x io& 8P7! /xowe $+!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PreStartTasksin\**,!M;y io& 8P7! M;yowe $,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AllLogonTasksVf**-!M;y io& 8P;! M;yowe 4-!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload3W**.!M;y io& 8P[! M;yowe .!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f @AppReadinessNotifyLogonCompleteo**/!M;y io& 8P[! M;yowe /!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f @AppReadinessNotifyLogonCompleter**0!M;y io& 8P;! M;yowe 40!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f  RoamingPayload3W**1!M;y io& 8PE! M;yowe 1!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *ARSFirstRunTelemetry****2!M;y io& 8PE! M;yowe 2!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f *ARSFirstRunTelemetryyNam**x3!a.~ io& 8P!nqm a.~ / DVg3!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &Corx**4!M~ io& 8PC!mm M~ / DVg4!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU1cᆫ}Q4?A_|>A =Name A! =AppID A! =Flags *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**5!`~ io& 8P!mm `~ / DVg5!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUfVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jspx**6!(8~ io& 8P!mm (8~ / DVg6!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUt_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe=**7!(8~ io& 8P?!mm (8~ / DVg7!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU gOmȉhVTSBrowsert-W**x8!~ io& 8P!nrm ~ / DVg8!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &oadx**9!~ io& 8P7!mm ~ / DVg9!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oo**0:!a io& 8P!%% a / DVg`:!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational Aa3"E>2>A% =KeyName \Software\Microsoft\Windows\CurrentVersion\Run|DQR0**;!a io& 8Po!%% a / DVg`;!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational Aa\Software\Microsoft\Windows\CurrentVersion\RunQR**2>A% =Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autoruneratH**p>!g!ȁ io& 8P !%% g!ȁ / DVg`>!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.ii2m.C HXOagbV>A =PID A% =Command t4C:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorune p**?!g!ȁ io& 8P!!%% g!ȁ / DVg`?!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں!g"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin**@!oHρ io& 8P)!%% oHρ / DVg`@!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.ii "C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin **A!oHρ io& 8Po!%% oHρ / DVg`A!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational Aa\Software\Microsoft\Windows\CurrentVersion\Run**B!oց io& 8Po!%% oց / DVg!!B!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational Aa\Software\Microsoft\Windows\CurrentVersion\RunKK**C!؁ io& 8P!%% ؁ / DVg!!C!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں!g"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"8**D!1 io& 8P!%% 1 / DVg!!D!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.iiP!"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"KK**E!1 io& 8P!%% 1 / DVg!!E!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں!g"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"so**F!W{ io& 8Pw!%% W{ / DVg`F!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational AadSoftware\Microsoft\Windows\CurrentVersion\RunOnces-S**G!W{ io& 8Pw!%% W{ / DVg`G!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational AadSoftware\Microsoft\Windows\CurrentVersion\RunOncerat**H!K} io& 8P!%% K} / DVg!!H!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.ii!"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"Op**(I!K} io& 8P!%% K} / DVg!!I!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ں!g"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun-S(**0J! io& 8P!%%  / DVg!!J!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.ii "C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun0**K! io& 8Po!%%  / DVg!!K!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational Aa\Software\Microsoft\Windows\CurrentVersion\Run **xL!- io& 8P!nqm -0e#L!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &eux**M!ܴ’ io& 8PQ!mm ܴ’0e#M!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBor**xN!ܴ’ io& 8P!nrm ܴ’0e#N!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**O!)*Ò io& 8P7!mm )*Ò0e#O!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oo**xP!whc io& 8P!nqm whc|sweP!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**Q!фkc io& 8PQ!mm фkc|sweQ!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1**R!jtc io& 8PQ!mm jtc|sweR!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB**xS!jtc io& 8P!nrm jtc|sweS!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**T!9yc io& 8P7!mm 9ycW"weT!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oo!**xU!  io& 8P!nqm  |swe4)U!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**V!  io& 8PQ!mm  |swe4)V!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB**xW!  io& 8P!nrm  |swe4)W!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**X!g-  io& 8P7!mm g- |swe4)X!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oo!**xY!߶A io& 8P!nqm ߶A|swe'\Y!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**Z!A io& 8P!mm A|swe'\Z!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exeQR**x[!6A io& 8P!nrm 6A|swe'\[!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**H\!_A io& 8P!mm _A|swe'\\!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe07!H**]!A io& 8P!mm A|swe'\]!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU~xS}Teu܏ zc6RMicrosoft.AutoGenerated.{E5A2023D-B25A-AA7B-0125-241AE9CB6697}0-S**^!&|,A io& 8P7!mm &|,AW"we\^!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% omMic**x_!3qA io& 8P!nqm 3qAowePze\_!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &!x**`!uA io& 8P!mm uAowePze\`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU~xS}Teu܏ zc6RMicrosoft.AutoGenerated.{E5A2023D-B25A-AA7B-0125-241AE9CB6697}0**Ha!svA io& 8P!mm svAowePze\a!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0H**Hb!s^wA io& 8P!mm s^wAowePze\b!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cUTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exenrmH**c!wA io& 8P!mm wAowePze\c!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exeMic**xd!wA io& 8P!nrm wAowePze\d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &s-Sx**e!ph|A io& 8P7!mm ph|AowePze\e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ooMic**xf!;i, io& 8P!nqm ;i,|swe %f!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**g!z, io& 8PQ!mm z,|swe %g!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1so**h!w, io& 8PQ!mm w,|swe %h!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBic**xi!w, io& 8P!nrm w,|swe %i!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &s-Sx**j!%, io& 8P7!mm %,%j!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ooMic**xk!,O)$ io& 8P!nqm ,O)$|swe?k!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**l!vP)$ io& 8PQ!mm vP)$|swe?l!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**xm!P)$ io& 8P!nrm P)$|swe?m!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**n!OQ)$ io& 8P7!mm OQ)$|swe?n!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oooso**xo!nyeV-3 io& 8P!nqm nyeV-3|sweI;o!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**p!fV-3 io& 8PQ!mm fV-3|sweI;p!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1so**q!BhV-3 io& 8PQ!mm BhV-3|sweI;q!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**xr!VhV-3 io& 8P!nrm VhV-3|sweI;r!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**s!G5jV-3 io& 8P7!mm G5jV-3;s!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oooso**xt!< io& 8P!nqm <|swet!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**u!< io& 8PQ!mm <|sweu!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**xv!< io& 8P!nrm <|swev!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**w!e1< io& 8P7!mm e1<|swew!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oooso**xx!L"N io& 8P!nqm L"N|swe \Ix!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**y!^^"N io& 8PQ!mm ^^"N|swe \Iy!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1so**z!Z"N io& 8PQ!mm Z"N|swe \Iz!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**x{!Z"N io& 8P!nrm Z"N|swe \I{!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**|!"N io& 8P7!mm "NW"we\I|!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oooso**x}!T io& 8P!nqm T|sweW}!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**~!|T io& 8PQ!mm |T|sweW~!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**x!T io& 8P!nrm T|sweW!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**!T io& 8P7!mm T|sweW!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ooJ-**x!(ێƮd io& 8P!nqm (ێƮd|swep^!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &x**!Ʈd io& 8PQ!mm Ʈd|swep^!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CB1so**!Ʈd io& 8PQ!mm Ʈd|swep^!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**x!Ʈd io& 8P!nrm Ʈd|swep^!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**!Ʈd io& 8P7!mm Ʈd$p^!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% oooso**x!Ǡk io& 8P!nqm Ǡk|swe>a!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &osox**!Nk io& 8PQ!mm Nk|swe>a!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cU"Firefox308046B0AF4A39CBso**x!Nk io& 8P!nrm Nk|swe>a!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**!k io& 8P7!mm k|swe>a!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R% ooJ-**! j3y io& 8P7! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f AllLogonTasksJ-**! j3y io& 8PG! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ,PreDesktopSwitchTasksell**! j3y io& 8P/! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPreposo**! j3y io& 8P/! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ShellPrep**! j3y io& 8PO! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f 4AppReadinessPreShellGroupell**! j3y io& 8P5! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePrephell**! j3y io& 8P5! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f SkydrivePreproso**! j3y io& 8P+! j3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOncel**!qLm3y io& 8P+! qLm3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RunOncec**!qLm3y io& 8P3! qLm3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupS**!Үo3y io& 8P3! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f ActiveSetupo**!Үo3y io& 8PC! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f (WaitForMSAConnectedcsoft-Windows io& 8P3 Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ElfChnk!!"!!"@:٥t>f=f?mMF)>TqLQR<&I**!Үo3y io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational ff6!yƒ>D EventDataA;foData= LogonType A'f=TaskName (WaitForMSAConnectedA!**!Үo3y io& 8PG! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSync=**!Үo3y io& 8PG! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSyncoso**!Үo3y io& 8PG! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks !**!Үo3y io& 8P;! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServices**!Үo3y io& 8P;! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServices**!Үo3y io& 8P7! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasks !**!Үo3y io& 8PE! Үo3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1**! r3y io& 8PE! r3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1**! r3y io& 8PO! r3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroup***! r3y io& 8P3! r3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolverc**! r3y io& 8P!mm r3yW"y`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYEYM~q; g&h\>A'f=Scenario A!f=Flags  Cor**! r3y io& 8P3! r3yone`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolverr**! r3y io& 8P7! r3yone`,!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasks/Op**! r3y io& 8P9! r3yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksor**! r3y io& 8P9! r3yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksll**!`54y io& 8P7! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksndo**!`54y io& 8P;! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2o**!`54y io& 8PI! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupso**!`54y io& 8P=! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingsft-W**!`54y io& 8P=! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingsindo**!`54y io& 8P;! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2o**!`54y io& 8PI! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupdo**!`54y io& 8P7! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksoso**!J84y io& 8P7! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasksn30'**!J84y io& 8P;! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3R**!J84y io& 8P;! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3!**!J84y io& 8P[! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompletec**!J84y io& 8P[! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompleteS**!J84y io& 8PE! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry-Cor**!J84y io& 8PE! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry|DQR**!g9y io& 8P9!nqm g9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<&| p)c>QR**!rR9y io& 8PC!mm rR9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**!C9y io& 8P!mm C9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jsp**!z9y io& 8P!mm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeQR**!z9y io& 8P?!mm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)> gOmȉhVTSBrowserMic**!z9y io& 8PQ!mm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CBso**x!z9y io& 8P!nrm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<ellx**!9y io& 8Pk!mm 9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached oo;**0!d_o;y io& 8P!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Runhell0**!d_o;y io& 8Po!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\RunQR**!d_o;y io& 8Po!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\RunCor**H!d_o;y io& 8P!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunH**p!9)=y io& 8P !%% 9)=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Tm.C HXOagbV>Af=PID A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun-Wp**!9)=y io& 8P!!%% 9)=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin30'**!-=y io& 8P)!%% -=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinni**!-=y io& 8Po!%% -=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**!%5=y io& 8Po!%% %5=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**!%5=y io& 8P!%% %5=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**!Ҕ=y io& 8P!%% Ҕ=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"8**!Ҕ=y io& 8P!%% Ҕ=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**!y >y io& 8P!%% y >y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"J-**(!y >y io& 8P!%% y >y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun(**!>y io& 8Pw!%% >y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qLdSoftware\Microsoft\Windows\CurrentVersion\RunOnce?!**!>y io& 8Pw!%% >y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qLdSoftware\Microsoft\Windows\CurrentVersion\RunOncesol**0!7>y io& 8P!%% 7>y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T "C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunmi0**!7>y io& 8Po!%% 7>y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Runt-W**x!=kttz io& 8P!nqm =kttz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<%x**!|utz io& 8PQ!mm |utz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CB1**! ywtz io& 8PQ!mm ywtz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CB1**x! ywtz io& 8P!nrm ywtz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<grax**!JJ{tz io& 8P7!mm JJ{tzW"yne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Ioot-W**!{ io& 8P7! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks***!{ io& 8PG! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks/ D**!{ io& 8P/! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrep**!{ io& 8P/! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrepmwa**!{ io& 8PO! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupes **!{ io& 8P5! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrep|DQR**!{ io& 8P5! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrep%%**!{ io& 8P+! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOnce**!{ io& 8P+! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOnce**!{ io& 8P3! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetup**!HX{ io& 8P3! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetup**!HX{ io& 8PC! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnected**!HX{ io& 8PC! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnected**!HX{ io& 8PG! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSyncm**!HX{ io& 8PG! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSync!**!HX{ io& 8PG! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks**!HX{ io& 8P;! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServices**!HX{ io& 8P;! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServiceso**!HX{ io& 8P7! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasksJ-**!HX{ io& 8PE! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1hell**!HX{ io& 8PE! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1en30'**!HX{ io& 8PO! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupCor**!HX{ io& 8P3! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolverc**!HX{ io& 8P!mm HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EY t-W**!HX{ io& 8P3! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolver**!HX{ io& 8P7! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasks023**!HX{ io& 8P9! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksat**!HX{ io& 8P9! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksat**!{ io& 8P7! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksxS}**!{ io& 8P;! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2'**!{ io& 8PI! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupP**!{ io& 8P=! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingst\Su**!{ io& 8P=! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettings**!{ io& 8P;! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2'**!{ io& 8PI! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupll**!{ io& 8P7! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksell**!{ io& 8P7! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks 1**!{ io& 8P;! {o<<H!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3p**!{ io& 8P;! {o<<H!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3S**!{ io& 8P[! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**!{ io& 8P[! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**!{ io& 8PE! {o<<d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry$**!{ io& 8PE! {o<<d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry**x!.{ io& 8P!nqm .{W".<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<x**"U{ io& 8P!mm U{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat-**"t@{ io& 8P!mm t@{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jspr**"PS{ io& 8P!mm PS{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeor**")V{ io& 8P?!mm )V{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)> gOmȉhVTSBrowser**x")V{ io& 8P!nrm )V{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &</Opx**"bZ{ io& 8P7!mm bZ{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Ioo"**"{ io& 8Po!%% {W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**"{ io& 8Po!%% {W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**"{ io& 8Po!%% {W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run** " @!{ io& 8P!%% @!{o< "J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQRtC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autoruns-S** "GF"{ io& 8P!%% GF"{bc"Firefox308046B0AF4A39CBor**x"H%F{ io& 8P!nrm H%F{y{y{,%"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<J-x**"F{ io& 8P7!mm F{y{y{,%"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%IooJ-**x"X%| io& 8P!nqm X%||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<x**"%| io& 8PQ!mm %||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CB1J-**" Э%| io& 8PQ!mm Э%||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CBdo**x"!%| io& 8P!nrm !%||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<*x** "%| io& 8P7!mm %|W".<P "J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%IooMic**x!") io& 8P!nqm )|s<'!"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<`x! io& 8PMicrosoft-Windows-Shell-Core/Operational ElfChnk""6"""6"P,-׸>f=f?mMF &A **8"" io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P!mm |s<'""J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1cᆫ}Q4?A_>D EventDataA1foData=Name A!f=AppID A!f=Flags "Firefox308046B0AF4A39CBio&8**#"׵ io& 8P9!nrm ׵|s<'#"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &| p)c>o3**$"M io& 8Pk!mm M|s<'$"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%A :R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached ooS**x%"n/9 io& 8P!nqm n/9|s<3%"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & Corx**&"bq/9 io& 8P!mm bq/9|s<3&"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exe**x'"bq/9 io& 8P!nrm bq/9|s<3'"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & Corx**H("r/9 io& 8P!mm r/9|s<3("J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0H**)"r/9 io& 8P!mm r/9|s<3)"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c~xS}Teu܏ zc6RMicrosoft.AutoGenerated.{E5A2023D-B25A-AA7B-0125-241AE9CB6697}0!***"x}s/9 io& 8P7!mm x}s/9W".<3*"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%A omyW"**x+"/29 io& 8P!nqm /29o<p<3+"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & Px**,"=29 io& 8P!mm =29o<p<3,"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c~xS}Teu܏ zc6RMicrosoft.AutoGenerated.{E5A2023D-B25A-AA7B-0125-241AE9CB6697}0**H-"u29 io& 8P!mm u29o<p<3-"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exe0indoH**H."929 io& 8P!mm 929o<p<3."J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cTeu܏ zc6R{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oray\SunLogin\SunloginClient\SunloginClient.exeH**/"q29 io& 8P!mm q29o<p<3/"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c_O{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Tencent\WeChat\WeChat.exe!**x0"q29 io& 8P!nrm q29o<p<30"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**1"29 io& 8P7!mm 29o<p<31"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%A oo**x2"kg  io& 8P!nqm kg |s< 12"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**3"}h  io& 8PQ!mm }h |s< 13"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB1**4"Rj  io& 8PQ!mm Rj |s< 14"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"Firefox308046B0AF4A39CB8**x5"Rj  io& 8P!nrm Rj |s< 15"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & x**6"k  io& 8P7!mm k p< 16"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%A oo 8P7! `54yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksoso**!J84y io& 8P7! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasksn30'**!J84y io& 8P;! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3R**!J84y io& 8P;! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3!**!J84y io& 8P[! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompletec**!J84y io& 8P[! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonCompleteS**!J84y io& 8PE! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry-Cor**!J84y io& 8PE! J84yone`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry|DQR**!g9y io& 8P9!nqm g9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<&| p)c>QR**!rR9y io& 8PC!mm rR9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags *ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat**!C9y io& 8P!mm C9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jsp**!z9y io& 8P!mm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeQR**!z9y io& 8P?!mm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)> gOmȉhVTSBrowserMic**!z9y io& 8PQ!mm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CBso**x!z9y io& 8P!nrm z9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<ellx**!9y io& 8Pk!mm 9yxrne``d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%I:R%&Gm3}>A1f#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached oo;**0!d_o;y io& 8P!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL3"E>2>A%f=KeyName \Software\Microsoft\Windows\CurrentVersion\Runhell0**!d_o;y io& 8Po!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\RunQR**!d_o;y io& 8Po!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\RunCor**H!d_o;y io& 8P!%% d_o;yxrne``(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR_,ں # >2>A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorunH**p!9)=y io& 8P !%% 9)=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.Tm.C HXOagbV>Af=PID A%f=Command tC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autorun-Wp**!9)=y io& 8P!!%% 9)=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologin30'**!-=y io& 8P)!%% -=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T"C:\Users\Administrator\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe" /qingbangong /start_from=wpsboxreg /broadcast silentautologinni**!-=y io& 8Po!%% -=y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**!%5=y io& 8Po!%% %5=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**!%5=y io& 8P!%% %5=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"**!Ҕ=y io& 8P!%% Ҕ=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"8**!Ҕ=y io& 8P!%% Ҕ=y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"**!y >y io& 8P!%% y >y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T"D:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"J-**(!y >y io& 8P!%% y >y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQR"C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorun(**!>y io& 8Pw!%% >y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qLdSoftware\Microsoft\Windows\CurrentVersion\RunOnce?!**!>y io& 8Pw!%% >y0e`(!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qLdSoftware\Microsoft\Windows\CurrentVersion\RunOncesol**0!7>y io& 8P!%% 7>y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational m.T "C:\Program Files (x86)\Oray\SunLogin\SunloginClient\SunloginClient.exe" --cmd=autorunmi0**!7>y io& 8Po!%% 7>y0e!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Runt-W**x!=kttz io& 8P!nqm =kttz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<%x**!|utz io& 8PQ!mm |utz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CB1**! ywtz io& 8PQ!mm ywtz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CB1**x! ywtz io& 8P!nrm ywtz|sne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<grax**!JJ{tz io& 8P7!mm JJ{tzW"yne`!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Ioot-W**!{ io& 8P7! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks***!{ io& 8PG! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks/ D**!{ io& 8P/! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrep**!{ io& 8P/! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellPrepmwa**!{ io& 8PO! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupes **!{ io& 8P5! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrep|DQR**!{ io& 8P5! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fSkydrivePrep%%**!{ io& 8P+! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOnce**!{ io& 8P+! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fRunOnce**!{ io& 8P3! {.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetup**!HX{ io& 8P3! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fActiveSetup**!HX{ io& 8PC! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnected**!HX{ io& 8PC! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f(WaitForMSAConnected**!HX{ io& 8PG! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSyncm**!HX{ io& 8PG! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreConfigLauncherSync!**!HX{ io& 8PG! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f,PreDesktopSwitchTasks**!HX{ io& 8P;! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServices**!HX{ io& 8P;! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f PerUserServiceso**!HX{ io& 8P7! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasksJ-**!HX{ io& 8PE! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1hell**!HX{ io& 8PE! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*RoamingPayloads0and1en30'**!HX{ io& 8PO! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f4AppReadinessPreShellGroupCor**!HX{ io& 8P3! HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolverc**!HX{ io& 8P!mm HX{.<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EY t-W**!HX{ io& 8P3! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAppResolver**!HX{ io& 8P7! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreShellTasks023**!HX{ io& 8P9! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksat**!HX{ io& 8P9! HX{o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fShellInitTasksat**!{ io& 8P7! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksxS}**!{ io& 8P;! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2'**!{ io& 8PI! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupP**!{ io& 8P=! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettingst\Su**!{ io& 8P=! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f"UpdatePCSettings**!{ io& 8P;! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload2'**!{ io& 8PI! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f.AppReadinessLogonGroupll**!{ io& 8P7! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fPreStartTasksell**!{ io& 8P7! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fAllLogonTasks 1**!{ io& 8P;! {o<<H!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3p**!{ io& 8P;! {o<<H!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f RoamingPayload3S**!{ io& 8P[! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**!{ io& 8P[! {o<<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f@AppReadinessNotifyLogonComplete**!{ io& 8PE! {o<<d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry$**!{ io& 8PE! {o<<d!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational f*ARSFirstRunTelemetry**x!.{ io& 8P!nqm .{W".<!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<x**"U{ io& 8P!mm U{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>*ZTSstartup.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat-**"t@{ io& 8P!mm t@{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>fVfN{tTShttp://192.168.10.81:8180/libsystem/page/login.jspr**"PS{ io& 8P!mm PS{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exeor**")V{ io& 8P?!mm )V{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)> gOmȉhVTSBrowser**x")V{ io& 8P!nrm )V{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &</Opx**"bZ{ io& 8P7!mm bZ{W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%Ioo"**"{ io& 8Po!%% {W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**"{ io& 8Po!%% {W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run**"{ io& 8Po!%% {W".<"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational qL\Software\Microsoft\Windows\CurrentVersion\Run** " @!{ io& 8P!%% @!{o< "J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational _,ںQRtC:\Program Files (x86)\Tencent\WeChat\WeChat.exe -autoruns-S** "GF"{ io& 8P!%% GF"{bc"Firefox308046B0AF4A39CBor**x"H%F{ io& 8P!nrm H%F{y{y{,%"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<J-x**"F{ io& 8P7!mm F{y{y{,%"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%IooJ-**x"X%| io& 8P!nqm X%||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<x**"%| io& 8PQ!mm %||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CB1J-**" Э%| io& 8PQ!mm Э%||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c)>"Firefox308046B0AF4A39CBdo**x"!%| io& 8P!nrm !%||s<+P"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<*x** "%| io& 8P7!mm %|W".<P "J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%IooMic**x!") io& 8P!nqm )|s<'!"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &<`x! io& 8PMicrosoft-Windows-Shell-Core/Operational ElfChnk^^4>f=f?mMF  &**}U io&iozZgAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannelBF;nComputerWIN-3PIMCL4OH3LAB.SecurityfLUserID ! 8P!mm }U|s\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%:R%&Gm3}J>>D EventDataACfoData#= ItemsExisting A+f= ItemsAdded A/f!= ItemsRemoved A/f!= ItemsUpdated A-f= ItemsCached iiCor**?HV io& 8P9!nqm ?HV"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &| p)c>\X**?HV io& 8P5!mm ?HV"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c 1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.batft-W**HV io& 8P!mm HV"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe C**HV io& 8P?!mm HV"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xHV io& 8P!nrm HV"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**HV io& 8P7!mm HV"d;:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xEgV io& 8P!nqm EgV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**EgV io& 8P!mm EgV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **DEgV io& 8P!mm DEgV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **DEgV io& 8P?!mm DEgV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xDEgV io& 8P!nrm DEgV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**DEgV io& 8P7!mm DEgV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xV io& 8P!nqm V"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**V io& 8P!mm V"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **^ÔV io& 8P!mm ^ÔV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe y**^ÔV io& 8P?!mm ^ÔV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x^ÔV io& 8P!nrm ^ÔV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**^ÔV io& 8P7!mm ^ÔV"d;BJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xeV io& 8P!nqm eV"d;HKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**eV io& 8P!mm eV"d;HKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **JȓV io& 8P!mm JȓV"d;HKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **JȓV io& 8P?!mm JȓV"d;HKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xJȓV io& 8P!nrm JȓV"d;HKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**JȓV io& 8P7!mm JȓV"d;HKJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xSW io& 8P!nqm SW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**SW io& 8P!mm SW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat 7**W io& 8P!mm W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe "**W io& 8P?!mm W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xW io& 8P!nrm W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**W io& 8P7!mm W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xQ0W io& 8P!nqm Q0W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**Q0W io& 8P!mm Q0W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat w**0W io& 8P!mm 0W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **0W io& 8P?!mm 0W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x0W io& 8P!nrm 0W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**0W io& 8P7!mm 0W"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xLW io& 8P!nqm LW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**LW io& 8P!mm LW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **&LW io& 8P!mm &LW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe ;g**&LW io& 8P?!mm &LW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x&LW io& 8P!nrm &LW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**&LW io& 8P7!mm &LW"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xq/6kW io& 8P!nqm q/6kW"d;L7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**q/6kW io& 8P!mm q/6kW"d;L7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **-16kW io& 8P!mm -16kW"d;L7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe nT**-16kW io& 8P?!mm -16kW"d;L7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x-16kW io& 8P!nrm -16kW"d;L7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**-16kW io& 8P7!mm -16kW"d;L7J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xMW io& 8P!nqm MW"d;x-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**MW io& 8P!mm MW"d;x-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **EMW io& 8P!mm EMW"d;x-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **EMW io& 8P?!mm EMW"d;x-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xEMW io& 8P!nrm EMW"d;x-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**EMW io& 8P7!mm EMW"d;x-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xW io& 8P!nqm W"d;P=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**W io& 8P!mm W"d;P=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat Wq**U?W io& 8P!mm U?W"d;P=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **U?W io& 8P?!mm U?W"d;P=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x U?W io& 8P!nrm U?W"d;P= J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x** U?W io& 8P7!mm U?W"d;P= J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x |X io& 8P!nqm |X"d;( J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox** |X io& 8P!mm |X"d;( J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat ** =X io& 8P!mm =X"d;( J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe |**=X io& 8P?!mm =X"d;(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x=X io& 8P!nrm =X"d;(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**=X io& 8P7!mm =X"d;(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x4t4X io& 8P!nqm 4t4X"d;H=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**4t4X io& 8P!mm 4t4X"d;H=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat D**Ut4X io& 8P!mm Ut4X"d;H=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe G**Ut4X io& 8P?!mm Ut4X"d;H=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xUt4X io& 8P!nrm Ut4X"d;H=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**Ut4X io& 8P7!mm Ut4X"d;H=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xX io& 8P!nqm X"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**X io& 8P!mm X"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **X io& 8P!mm X"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe K**X io& 8P?!mm X"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xX io& 8P!nrm X"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**X io& 8P7!mm X"d;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x>X io& 8P!nqm >X"d;QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**>X io& 8P!mm >X"d;QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat 0**AX io& 8P!mm AX"d;QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe Y** AX io& 8P?!mm AX"d;Q J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x!AX io& 8P!nrm AX"d;Q!J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**"AX io& 8P7!mm AX"d;Q"J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x#f0X io& 8P!nqm f0X"d;`,#J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & osox**$f0X io& 8P!mm f0X"d;`,$J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat 0**%0X io& 8P!mm 0X"d;`,%J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **&0X io& 8P?!mm 0X"d;`,&J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x'0X io& 8P!nrm 0X"d;`,'J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & **x**(0X io& 8P7!mm 0X"d;`,(J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x)ZX io& 8P!nqm ZX"d;\1)J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x***ZX io& 8P!mm ZX"d;\1*J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat <**+EX io& 8P!mm EX"d;\1+J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **,EX io& 8P?!mm EX"d;\1,J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x-EX io& 8P!nrm EX"d;\1-J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**.EX io& 8P7!mm EX"d;\1.J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x/mY io& 8P!nqm mY"d;5/J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**0mY io& 8P!mm mY"d;50J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **1vmY io& 8P!mm vmY"d;51J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe v**2vmY io& 8P?!mm vmY"d;52J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x3vmY io& 8P!nrm vmY"d;53J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**4vmY io& 8P7!mm vmY"d;54J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x5p?Y io& 8P!nqm p?Y"d;75J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**6p?Y io& 8P!mm p?Y"d;76J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat %**7}?Y io& 8P!mm }?Y"d;77J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **8}?Y io& 8P?!mm }?Y"d;78J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x9}?Y io& 8P!nrm }?Y"d;79J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**:}?Y io& 8P7!mm }?Y"d;7:J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**x;NeY io& 8P!nqm NeY"d;tL;J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**<NeY io& 8P!mm NeY"d;tL<J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **=eY io& 8P!mm eY"d;tL=J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe >**>eY io& 8P?!mm eY"d;tL>J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x?eY io& 8P!nrm eY"d;tL?J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**@eY io& 8P7!mm eY"d;tL@J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xAb˰Y io& 8P!nqm b˰Y"d;EAJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**Bb˰Y io& 8P!mm b˰Y"d;EBJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **C-Y io& 8P!mm -Y"d;ECJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe **D-Y io& 8P?!mm -Y"d;EDJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xE-Y io& 8P!nrm -Y"d;EEJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**F-Y io& 8P7!mm -Y"d;EFJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xG166Z io& 8P!nqm 166Z"d;6GJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**H166Z io& 8P!mm 166Z"d;6HJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat ī**I6Z io& 8P!mm 6Z"d;6IJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe %**J6Z io& 8P?!mm 6Z"d;6JJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xK6Z io& 8P!nrm 6Z"d;6KJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**L6Z io& 8P7!mm 6Z"d;6LJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xM1}UZ io& 8P!nqm 1}UZ"d;+MJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**N1}UZ io& 8P!mm 1}UZ"d;+NJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **OD4}UZ io& 8P!mm D4}UZ"d;+OJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe Y;**PD4}UZ io& 8P?!mm D4}UZ"d;+PJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xQD4}UZ io& 8P!nrm D4}UZ"d;+QJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**RD4}UZ io& 8P7!mm D4}UZ"d;+RJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xST qZ io& 8P!nqm T qZ"d;|KSJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**TT qZ io& 8P!mm T qZ"d;|KTJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **UW qZ io& 8P!mm W qZ"d;|KUJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe  **VW qZ io& 8P?!mm W qZ"d;|KVJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**xWW qZ io& 8P!nrm W qZ"d;|KWJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**XW qZ io& 8P7!mm W qZ"d;|KXJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iio&**xYo]/Z io& 8P!nqm o]/Z"d;QYJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & &x**Zo]/Z io& 8P!mm o]/Z"d;QZJ-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c ZTS.bat - _wce_D:\rfid\apache-tomcat-8.5.32\bin\startup.bat **[_/Z io& 8P!mm _/Z"d;Q[J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c t_SC:\Users\Administrator\AppData\Roaming\_S\X86\KuaiZip.exe }**\_/Z io& 8P?!mm _/Z"d;Q\J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c  gOmȉhVTSBrowser**x]_/Z io& 8P!nrm _/Z"d;Q]J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational & ex**^_/Z io& 8P7!mm _/Z"d;Q^J-N*Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%iiwset-Wdows-Shell-Core/Operational