ElfFile'Mmu$ElfChnk&&{|"+qBW:)' )))`g*'\')@*[)S&jM{09N+NA2x'.F$** / &%xgA[M Eventjxmlns5http://schemas.microsoft.com/win/2004/08/events/eventoTSystemA{ProviderF=KNameMicrosoft-Windows-WinlogonF)Guid&{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}`EventSourceNameWlclntfyAM;aEventID'\) Qualifiers " Version dLevelE{Task Opcode$'jKeywordsAPR; TimeCreated'{j<{ SystemTime .F EventRecordID A Correlation\F ActivityID.;5RelatedActivityIDAmj ExecutionHF ProcessID9ThreadID 8aChannel Application<R;nComputer oem-KomputerAB`.SecurityfLUserID ! !p /E F0&F%g>9{p(xlWD EventDataoData !BinaryGPClient**// & 9!pl./E F0GPClient**// & 9!p//E F0GPClient43**`A7S/  r7!%ɻAMsj5http://schemas.microsoft.com/win/2004/08/events/event\AF=A; \      'AR {  AF. AjF  " oem-KomputerA`  !  N:!3Q/\EMicrosoft-Windows-User Profiles Service鱉ZDD XEApplication  /Ô*FgA[W'=EVENT_HIVE_LEAKA#=Detail 15 user registry handles leaked from \Registry\User\S-1-5-21-2759892201-2169362047-2630836426-1000: Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000 Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000 Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000 Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000 Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\Root Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\SmartCardRoot Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\Disallowed Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\TrustedPeople Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\My Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\CA Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Policies\Microsoft\SystemCertificates Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Policies\Microsoft\SystemCertificates Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Policies\Microsoft\SystemCertificates Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Policies\Microsoft\SystemCertificates Process 464 (\Device\HarddiskVolume2\windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\SystemCertificates\trust `**l)/ 'F$ 'F+DNA Msj5http://schemas.microsoft.com/win/2004/08/events/event\AF=A; \      'AR {  AF. AjF  " oem-KomputerA`  $S&.5DUserData! @!'{d)/ WE需M`ϜMicrosoft-Windows-RestartManagerF,$r$Application x'-+W'A'e'RmUnsupportedRestartEventF'Mwxmlns:auto-ns2/http://schemas.microsoft.com/win/2004/08/eventsjDhttp://www.microsoft.com/2005/08/Windows/Reliability/RestartManager/* )L RmSessionId :)=Pid $[)FullPath *)-T DisplayName ()? AppVersion ")[AppType **, TSSessionId  @**Status  g*Reason  .&TC:\windows\explorer.exeEksplorator Windows**ѓ*/ =/' N+=/' }{ȰdIAMsj5http://schemas.microsoft.com/win/2004/08/events/event)A8/=ASP.NET 4.0.30319.0A; \   'AR {    Application" oem-KomputerA`  ! #!ѓ*/dE F0***/ =/' N+ #!*/jE F0**05/ 8.8 oh_J&~¹AMsj5http://schemas.microsoft.com/win/2004/08/events/event%A4+=Application ErrorA; \   'AR {    Application" oem-KomputerA`  ! !do5/E F0MsiExec.exe5.0.7601.175144ce79d93MSIFF32.tmp_unloaded0.0.0.050c9b9e3c0000005000007fef6e9791483801cf2f358d3cedabC:\Windows\system32\MsiExec.exeMSIFF32.tmpce3da52e-9b28-11e3-8f6f-001060d107d10** h5/ 9e29e8sҰAMsj5http://schemas.microsoft.com/win/2004/08/events/eventA*!= MsiInstallerA; \   'AR {    Application" oem-KomputerA`  !  =!.;5/E F0&Product: Microsoft Office Office 64-bit Components 2010 -- Error 1920. Service 'Office Software Protection Platform' (osppsvc) failed to start. Verify that you have sufficient privileges to start system services.(NULL)(NULL)(NULL)(NULL)(NULL)&{90140000-002A-0000-1000-0000000FF1CE}**8 h5/ 9e2  !h5/E F0RMicrosoft Office Office 64-bit Components 2010Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition1603(NULL)(NULL)(NULL)R{90140000-002A-0000-1000-0000000FF1CE} {51CCA922-A0CC-47C4-8910-6936D97CAC2E} 16038** 05/ xP9xP+WJ˟AMsj5http://schemas.microsoft.com/win/2004/08/events/event AF=Microsoft-Windows-WinlogonF&{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}WinlogonA; \      'AR {  AF.AjF   Application" oem-KomputerA`  ! O! 5/E F0,0x000000000x00000000**p %9/ 8. !d%9/E F0Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c00000060000000000018f75c401cf2f35f5b0e868C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dllfb23dadd-9b2c-11e3-9ae6-001060d107d1p**P 9/ 8. !d%9/E F0~C:\windows\System32\shell32.dllEksplorator WindowsC00001853P**mA/ ALNAAL/֕QWRAMsj5http://schemas.microsoft.com/win/2004/08/events/eventA&= SideBySideA; \   'AR {    Application" oem-KomputerA`  ! !!OJmA/E F0Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\Firefly\Firefly.exe**PmA/ ALNA !!mA/E F0~Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\Gaussian\g09.exeP**XmA/ ALNA !!mA/E F0Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\mopac2009\Mopac2009.exeX**@|{nA/ ALNA !!mA/E F0tMicrosoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\PQS\PQS.EXE@**H|{nA/ ALNA !!|{nA/E F0|Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\QChem\qchem.exeH**X??B/ ALNA !!|{nA/E F0Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\wingamess\gamess.06.exeX**PY\/ ALNA !!Y\/E F0Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\Firefly\Firefly.exeP**PY\/ ALNA !!Y\/E F0~Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\Gaussian\g09.exeP**XY\/ ALNA !!Y\/E F0Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\mopac2009\Mopac2009.exeX**@Y\/ ALNA !!Y\/E F0tMicrosoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\PQS\PQS.EXE@**HY\/ ALNA !!Y\/E F0|Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\QChem\qchem.exeH**Xoq/ ALNA !!Y\/E F0Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"d:\Hyper80\Program\otherprograms\wingamess\gamess.06.exeX**`Ȓq/ 8. !d1q/E F0MsiExec.exe5.0.7601.175144ce79d93MSI4379.tmp_unloaded0.0.0.050c9b9e3c0000005000007fef34479148e401cf2f71e42fc5efC:\Windows\system32\MsiExec.exeMSI4379.tmp24c55f85-9b65-11e3-9ae6-001060d107d1`**q/ 9e2  =!.ktq/E F0&Product: Microsoft Office Office 64-bit Components 2010 -- Error 1920. Service 'Office Software Protection Platform' (osppsvc) failed to start. Verify that you have sufficient privileges to start system services.(NULL)(NULL)(NULL)(NULL)(NULL)&{90140000-002A-0000-1000-0000000FF1CE}**8q/ 9e2  !q/E F0RMicrosoft Office Office 64-bit Components 2010Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition1603(NULL)(NULL)(NULL)R{90140000-002A-0000-1000-0000000FF1CE} {51CCA922-A0CC-47C4-8910-6936D97CAC2E} 16038**`2-Ǟ/ 8. !dƞ/E F0MsiExec.exe5.0.7601.175144ce79d93MSI57E9.tmp_unloaded0.0.0.050c9b9e3c0000005000007fef8307914a8c01cf2f9ec35d76a6C:\Windows\system32\MsiExec.exeMSI57E9.tmp0484442d-9b92-11e3-9ae6-001060d107d1`**lٞ/ 9e2  =!.ٞ/E F0&Product: Microsoft Office Office 64-bit Components 2010 -- Error 1920. Service 'Office Software Protection Platform' (osppsvc) failed to start. Verify that you have sufficient privileges to start system services.(NULL)(NULL)(NULL)(NULL)(NULL)&{90140000-002A-0000-1000-0000000FF1CE}**8lٞ/ 9e2  !lٞ/E F0RMicrosoft Office Office 64-bit Components 2010Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition1603(NULL)(NULL)(NULL)R{90140000-002A-0000-1000-0000000FF1CE} {51CCA922-A0CC-47C4-8910-6936D97CAC2E} 16038** / xP9 O! /(E F0,0x000000000x00000000**!2vF/    N!rm>/x eEMicrosoft-Windows-User Profiles Service鱉ZDD XEApplication  1 user registry handles leaked from \Registry\User\S-1-5-21-2759892201-2169362047-2630836426-1000: Process 1444 (\Device\HarddiskVolume2\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon **"/ xP9 O! b/kE F0,0x000000000x00000000**#l/    N!i/EMicrosoft-Windows-User Profiles Service鱉ZDD XEApplication  1 user registry handles leaked from \Registry\User\S-1-5-21-2759892201-2169362047-2630836426-1000: Process 1488 (\Device\HarddiskVolume2\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon **$iϰ/ xP9 O! <]ΰ/E F0,0x000000000x00000000**%εO/    N!lM/ EMicrosoft-Windows-User Profiles Service鱉ZDD XEApplication  1 user registry handles leaked from \Registry\User\S-1-5-21-2759892201-2169362047-2630836426-1000: Process 1512 (\Device\HarddiskVolume2\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe) has opened key \REGISTRY\USER\S-1-5-21-2759892201-2169362047-2630836426-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon **&40 xP9 O! &0E F0,0x000000000x00000000