ElfFilejElfChnkȰn**x|^ E'b&E'bUa4UxLIDwEAM Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemAY{Provider6F=KNameX)GuidAMzaEventID'X) Qualifiers " Version dLevelE{Task ?Opcode$fjKeywordsAP; TimeCreated'j<{ SystemTime .F EventRecordID A Correlation\FF ActivityIDmz5RelatedActivityID Am ExecutionHFF ProcessID9ThreadID "aChannel<F;nComputer FILF-APP-RECAB.SecurityfLUserID ! 8Pg!mm |^gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1cᆫ}Q4?A_8D EventDataA1`oData=Name A!`=AppID A!`=Flags hNarrator{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\narrator.exe88x**|^ E'b& 8P!mm |^gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&^On-Screen Keyboard{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\osk.exe8o** E'b& 8P!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cfNotepad{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe8hell**0# E'b& 8P!mm 0#gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*LAdministrative ToolsMicrosoft.Windows.AdministrativeTools9ydri**0# E'b& 8P!mm 0#gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c^Command Prompt{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe8** E'b& 8Pe!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c6This PCMicrosoft.Windows.Computer9 ** E'b& 8Py!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c>Control PanelMicrosoft.Windows.ControlPanel9so** E'b& 8Pq!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c6File ExplorerMicrosoft.Windows.Explorer9ic** E'b& 8Pw!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"6Help and SupportMicrosoft.Windows.Helppane9ona** E'b& 8Pk!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cDRunMicrosoft.Windows.Shell.RunDialog9o** E'b& 8Pc!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c4DesktopMicrosoft.Windows.Desktopm** E'b& 8PQ!mm gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c$SearchWindows.UI.Searchm2f**zJ E'b& 8P!mm zJgfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c`Calculator{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\calc.exe8**6 E'b& 8P!mm 6gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c fPaint{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe8** 6 E'b& 8P!mm 6gfdhfX\  ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c4@Remote Desktop ConnectionMicrosoft.Windows.RemoteDesktop9r**! E'b& 8P!mm gfdhfX\! ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c^Steps Recorder{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\psr.exe8a**(" E'b& 8P!mm gfdhfX\" ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cWordPad{6D809377-6AF0-444B-8957-A3773F02200E}\Windows NT\Accessories\wordpad.exe8(**# E'b& 8P!mm gfdhfX\# ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c,fWindows Server Backup{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\wbadmin.msc8 **$ E'b& 8P!mm gfdhfX\$ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&dComponent Services{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\comexp.msc8or**0%y]  E'b& 8P!mm y] gfdhfX\% ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c(~Computer ManagementMicrosoft.AutoGenerated.{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}8ft-W0**(&ɿ  E'b& 8P!mm ɿ gfdhfX\& ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c>dDefragment and Optimize Drives{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\dfrgui.exe8(** 'ɿ  E'b& 8P!mm ɿ gfdhfX\' ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c~Event ViewerMicrosoft.AutoGenerated.{BB044BFD-25B7-2FAA-22A8-6371A93E0456}80 **(! E'b& 8P!mm !gfdhfX\( ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c hiSCSI Initiator{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\iscsicpl.exe8n30'** )7 E'b& 8P!mm 7gfdhfX\) ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c4fWindows Memory Diagnostic{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\MdSched.exe8in **(* E'b& 8P!mm gfdhfX\* ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c6hODBC Data Sources (32-bit){D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\odbcad32.exe8(**(+ E'b& 8P!mm gfdhfX\+ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c6hODBC Data Sources (64-bit){1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\odbcad32.exe8ft-W(**0, I E'b& 8P!mm IgfdhfX\, ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c(~Performance MonitorMicrosoft.AutoGenerated.{8AA47365-B2B3-1961-69EB-F866E376B12F}8l f0**(- I E'b& 8P!mm IgfdhfX\- ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c"~Resource MonitorMicrosoft.AutoGenerated.{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}8(**0. E'b& 8P!mm gfdhfX\. ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c,~Local Security PolicyMicrosoft.AutoGenerated.{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}8ic0** / E'b& 8P!mm gfdhfX\/ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c<^Security Configuration Wizard{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\scw.exe8Op **0)p E'b& 8P!mm )pgfdhfX\0 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1crServer Manager{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ServerManager.exe8r&**1)p E'b& 8P!mm )pgfdhfX\1 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1chServices{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\services.msc88**2h E'b& 8P!mm hgfdhfX\2 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c*hSystem Configuration{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\msconfig.exe8**3h E'b& 8P!mm hgfdhfX\3 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&hSystem Information{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\msinfo32.exe8ft-W** 44" E'b& 8P!mm 4"gfdhfX\4 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c~Task SchedulerMicrosoft.AutoGenerated.{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}8 **054" E'b& 8P!mm 4"gfdhfX\5 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cP\Windows Firewall with Advanced Security{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WF.msc80**P64" E'b& 8P!mm 4"gfdhfX\6 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c2Windows PowerShell (x86){D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe0P**`7$ E'b& 8P!mm $gfdhfX\7 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c:Windows PowerShell ISE (x86){D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\PowerShell_ISE.exe8`**X8W& E'b& 8P!mm W&gfdhfX\8 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c.Windows PowerShell ISE{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\PowerShell_ISE.exe8PX**9W& E'b& 8P!mm W&gfdhfX\9 ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c,fWindows Server Backup{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\wbadmin.msc8** :0 E'b& 8P!mm 0gfdhfX\: ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c~Task ManagerMicrosoft.AutoGenerated.{923DD477-5846-686B-A659-0FCCD73851A8}8 **H;0 E'b& 8P!mm 0gfdhfX\; ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&Windows PowerShell{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe0SeOH**p<jG5 E'b& 8P!mm jG5gfdhfX\< ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1ch~dmarrer la journalisation de statistiques de la VMMicrosoft.AutoGenerated.{14A21382-6511-3324-B505-306A7D8FF83A}0ionap**=jG5 E'b& 8P9!nrm jG5gfdhfX\= ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &b&| p)c8na**p>! : E'b& 8P !mm ! :nih<X\> ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational *!رc*!.mwف8A#`=Groups A!`=Tiles A/`!= Placeholders A!`=Flags   p**?n< E'b& 8Pk!mm n<nih<X\? ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%!f:R%&Gm3}8A1`#= ItemsExisting A+`= ItemsAdded A/`!= ItemsRemoved A/`!= ItemsUpdated A-`= ItemsCached +,** @> E'b& 8P! >nih<X\@ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fhf6!yƒpd8A)`= LogonType A'`=TaskName  AppResolver **A> E'b& 8P7! >nih<X\A ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh PreShellTasks **B> E'b& 8P9! >nih<XB ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh ShellInitTasks**C> E'b& 8P9! >nih<XC ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh ShellInitTasks**DM E'b& 8P7! Mnih<XD ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh PreStartTasks**EM E'b& 8P;! Mnih<XE ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh  RoamingPayload2**FM E'b& 8PI! Mnih<XF ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh. AppReadinessLogonGroup**G E'b& 8P=! nih<XG ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh" UpdatePCSettingsR**xH% E'b& 8P!nqm %W"8X8 H ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &b x**I# E'b& 8Pq!mm #W"8X8 I ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c6File ExplorerMicrosoft.Windows.Explorer**J# E'b& 8P!mm #W"8X8 J ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1crServer Manager{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ServerManager.exeMic**HK# E'b& 8P!mm #W"8X8 K ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c&Windows PowerShell{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exeH**xL# E'b& 8P!nrm #W"8X8 L ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &bksx**MZ E'b& 8P7!mm ZW"8X8 M ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%!f,,oad**N"  E'b& 8P=! " kh JkXN ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh" UpdatePCSettingsgPay**O"  E'b& 8P;! " kh JkXO ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh  RoamingPayload2p**P"  E'b& 8P!mm " kh JkXP ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational EYEYM~q; g&h\8A'`=Scenario A!`=Flags  **xQ"  E'b& 8P!nqm " kh JkXQ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &br&x**xR"  E'b& 8P!nrm " kh JkXR ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational &b**x**SD E'b& 8P7!mm Dkh JkXS ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational :R%!f,,****TD E'b& 8PI! Dkh JkXT ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh. AppReadinessLogonGroupXDŽ**UD E'b& 8P7! Dkh JkXU ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh PreStartTasks**VD E'b& 8P7! Dkh JkXV ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh AllLogonTasks**WD E'b& 8P;! Dkh JkXd W ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh  RoamingPayload3**XD E'b& 8P[! Dkh JkXt X ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh@ AppReadinessNotifyLogonComplete**Y  E'b& 8P;! kh JkXd Y ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh  RoamingPayload3**Z  E'b& 8P[! kh JkXt Z ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh@ AppReadinessNotifyLogonComplete**[  E'b& 8PE! kh JkX [ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh* ARSFirstRunTelemetry**\  E'b& 8PE! kh JkX \ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational fh* ARSFirstRunTelemetry**0].s E'b& 8P!%% .sSIľUGc\28A%`=KeyName \Software\Microsoft\Windows\CurrentVersion\Runroso0**H^.s E'b& 8P!%% .sSIľUGc\28A%`=Command z"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusroH**x_Ѣ E'b& 8P!%% ѢSIľUGc\A'f=Filename A+f= SchemaType A)f= ErrorCode A3f%=Failure reason | C:\Program Files\Internet Explorer\VisualElementsManifest.xmlNULLQR**(~7 E'b 8P!nm ~7gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational Dڙ C:\Program Files\Internet Explorer\iexplore.VisualElementsManifest.xmlNULL(**~7 E'b 8P)!mm ~7gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1c1cᆫ}Q4?A_|>Af=Name A!f=AppID A!f=Flags $FInternet ExplorerMicrosoft.InternetExplorer.Default-S**$ E'b 8P!mm $gfdhfX\ ذĤi 2Microsoft-Windows-Shell-Coren30'|DQRaMicrosoft-Windows-Shell-Core/Operational 1cfMagnifier{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\magnify.exe8s E'b 8PP