diff --git a/NIST_Data_Leakage_Case/NIST_Answers/lab_generated_file/Registry.zip b/NIST_Data_Leakage_Case/NIST_Answers/lab_generated_file/Registry.zip
new file mode 100644
index 0000000..f4186e2
Binary files /dev/null and b/NIST_Data_Leakage_Case/NIST_Answers/lab_generated_file/Registry.zip differ
diff --git a/NIST_Data_Leakage_Case/NIST_Data_Leakage_00_Env_Setting.pptx b/NIST_Data_Leakage_Case/NIST_Data_Leakage_00_Env_Setting.pptx
index 47120dd..9a69d5a 100644
Binary files a/NIST_Data_Leakage_Case/NIST_Data_Leakage_00_Env_Setting.pptx and b/NIST_Data_Leakage_Case/NIST_Data_Leakage_00_Env_Setting.pptx differ
diff --git a/NIST_Data_Leakage_Case/NIST_Data_Leakage_01_Registry.pptx b/NIST_Data_Leakage_Case/NIST_Data_Leakage_01_Registry.pptx
index 0f14917..4f30e4d 100644
Binary files a/NIST_Data_Leakage_Case/NIST_Data_Leakage_01_Registry.pptx and b/NIST_Data_Leakage_Case/NIST_Data_Leakage_01_Registry.pptx differ
diff --git a/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML_Python.pptx b/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML_Python.pptx
new file mode 100644
index 0000000..22fbba2
Binary files /dev/null and b/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML_Python.pptx differ
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/SecurityEvt.xml b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/SecurityEvt.xml
new file mode 100644
index 0000000..23d89ea
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/SecurityEvt.xml
@@ -0,0 +1,36684 @@
+<?xml version="1.1" encoding="utf-8" standalone="yes" ?>
+
+<Events>
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:35.248869"></TimeCreated>
+<EventRecordID>1</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:35.311270"></TimeCreated>
+<EventRecordID>2</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.089672"></TimeCreated>
+<EventRecordID>3</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="516"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x0000000000035ce9</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>4</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Backup Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>5</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>6</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Replicator</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>7</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>8</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Remote Desktop Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>9</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>10</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Network Configuration Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>11</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>12</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Power Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474"></TimeCreated>
+<EventRecordID>13</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.386072"></TimeCreated>
+<EventRecordID>14</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Cryptographic Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.386072"></TimeCreated>
+<EventRecordID>15</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.713673"></TimeCreated>
+<EventRecordID>16</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.713673"></TimeCreated>
+<EventRecordID>17</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:38.914877"></TimeCreated>
+<EventRecordID>18</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:38.914877"></TimeCreated>
+<EventRecordID>19</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.683689"></TimeCreated>
+<EventRecordID>20</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.683689"></TimeCreated>
+<EventRecordID>21</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.995691"></TimeCreated>
+<EventRecordID>22</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.995691"></TimeCreated>
+<EventRecordID>23</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.011292"></TimeCreated>
+<EventRecordID>24</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.011292"></TimeCreated>
+<EventRecordID>25</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.338890"></TimeCreated>
+<EventRecordID>26</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.338890"></TimeCreated>
+<EventRecordID>27</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:50.162495"></TimeCreated>
+<EventRecordID>28</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:50.162495"></TimeCreated>
+<EventRecordID>29</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:50.864496"></TimeCreated>
+<EventRecordID>30</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="64"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:52.065699"></TimeCreated>
+<EventRecordID>31</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:54.717703"></TimeCreated>
+<EventRecordID>32</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000454a7</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:53.886312"></TimeCreated>
+<EventRecordID>33</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1868"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Administrator</Data>
+<Data Name="TargetDomainName">37L4247F27-25</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x211</Data>
+<Data Name="NewUacValue">0x211</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:55.461916"></TimeCreated>
+<EventRecordID>34</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1868"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:55.461916"></TimeCreated>
+<EventRecordID>35</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1868"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:57.708319"></TimeCreated>
+<EventRecordID>36</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1868"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:57.708319"></TimeCreated>
+<EventRecordID>37</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1868"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:23.900766"></TimeCreated>
+<EventRecordID>38</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1696"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:23.900766"></TimeCreated>
+<EventRecordID>39</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="1696"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:24.165966"></TimeCreated>
+<EventRecordID>40</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="552"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:24.165966"></TimeCreated>
+<EventRecordID>41</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="464" ThreadID="552"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:29.407576"></TimeCreated>
+<EventRecordID>42</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="816" ThreadID="1468"></Execution>
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:26.671669"></TimeCreated>
+<EventRecordID>43</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="480"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:26.827669"></TimeCreated>
+<EventRecordID>44</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="480"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:29.058474"></TimeCreated>
+<EventRecordID>45</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000d031</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:29.276873"></TimeCreated>
+<EventRecordID>46</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:29.276873"></TimeCreated>
+<EventRecordID>47</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:30.212875"></TimeCreated>
+<EventRecordID>48</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:30.212875"></TimeCreated>
+<EventRecordID>49</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.499304"></TimeCreated>
+<EventRecordID>50</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.499304"></TimeCreated>
+<EventRecordID>51</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.592903"></TimeCreated>
+<EventRecordID>52</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.592903"></TimeCreated>
+<EventRecordID>53</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.686502"></TimeCreated>
+<EventRecordID>54</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.686502"></TimeCreated>
+<EventRecordID>55</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:14.799122"></TimeCreated>
+<EventRecordID>56</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:14.799122"></TimeCreated>
+<EventRecordID>57</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:16.811525"></TimeCreated>
+<EventRecordID>58</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:16.811525"></TimeCreated>
+<EventRecordID>59</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:17.185928"></TimeCreated>
+<EventRecordID>60</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="44"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:19.057930"></TimeCreated>
+<EventRecordID>61</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:19.369930"></TimeCreated>
+<EventRecordID>62</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x0000000000028c63</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.848738"></TimeCreated>
+<EventRecordID>63</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.848738"></TimeCreated>
+<EventRecordID>64</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Administrators</Data>
+<Data Name="NewTargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.848738"></TimeCreated>
+<EventRecordID>65</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Administrators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>66</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>67</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Users</Data>
+<Data Name="NewTargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>68</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>69</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Guests</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-546</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>70</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Guests</Data>
+<Data Name="NewTargetUserName">Guests</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-546</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>71</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Guests</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-546</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Guests</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>72</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>73</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Backup Operators</Data>
+<Data Name="NewTargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>74</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Backup Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>75</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>76</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Replicator</Data>
+<Data Name="NewTargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>77</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Replicator</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>78</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>79</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Remote Desktop Users</Data>
+<Data Name="NewTargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>80</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Remote Desktop Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>81</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>82</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Network Configuration Operators</Data>
+<Data Name="NewTargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>83</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Network Configuration Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>84</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>85</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Power Users</Data>
+<Data Name="NewTargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>86</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Power Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>87</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Performance Monitor Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-558</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>88</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Performance Monitor Users</Data>
+<Data Name="NewTargetUserName">Performance Monitor Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-558</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>89</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Performance Monitor Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-558</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Performance Monitor Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>90</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Performance Log Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-559</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>91</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Performance Log Users</Data>
+<Data Name="NewTargetUserName">Performance Log Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-559</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>92</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Performance Log Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-559</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Performance Log Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>93</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Distributed COM Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-562</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>94</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Distributed COM Users</Data>
+<Data Name="NewTargetUserName">Distributed COM Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-562</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>95</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Distributed COM Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-562</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Distributed COM Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>96</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">IIS_IUSRS</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-568</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>97</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">IIS_IUSRS</Data>
+<Data Name="NewTargetUserName">IIS_IUSRS</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-568</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>98</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">IIS_IUSRS</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-568</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">IIS_IUSRS</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>99</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>100</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Cryptographic Operators</Data>
+<Data Name="NewTargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>101</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Cryptographic Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>102</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Event Log Readers</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-573</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>103</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="OldTargetUserName">Event Log Readers</Data>
+<Data Name="NewTargetUserName">Event Log Readers</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-573</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>104</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">Event Log Readers</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-573</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Event Log Readers</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>105</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Administrator</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Administrator</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">11/20/2010 8:57:24 PM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x211</Data>
+<Data Name="NewUacValue">0x211</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>106</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Administrator</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Administrator</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">11/20/2010 8:57:24 PM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x211</Data>
+<Data Name="NewUacValue">0x211</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>107</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Guest</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-501</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Guest</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x215</Data>
+<Data Name="NewUacValue">0x215</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338"></TimeCreated>
+<EventRecordID>108</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Guest</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-501</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Guest</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x215</Data>
+<Data Name="NewUacValue">0x215</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:53.237000"></TimeCreated>
+<EventRecordID>109</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="64"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PreviousTime">2015-03-25 10:34:25.685648</Data>
+<Data Name="NewTime">2015-03-22 14:33:53.237000</Data>
+<Data Name="ProcessId">0x0000000000000340</Data>
+<Data Name="ProcessName">C:\Windows\System32\oobe\msoobe.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.422602"></TimeCreated>
+<EventRecordID>110</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.422602"></TimeCreated>
+<EventRecordID>111</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">informant</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.422602"></TimeCreated>
+<EventRecordID>112</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.438202"></TimeCreated>
+<EventRecordID>113</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.438202"></TimeCreated>
+<EventRecordID>114</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">informant</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x14</Data>
+<Data Name="UserAccountControl">
+		%%2048</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.453800"></TimeCreated>
+<EventRecordID>115</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4733</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001"></TimeCreated>
+<EventRecordID>116</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001"></TimeCreated>
+<EventRecordID>117</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">informant</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 10:33:54 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x14</Data>
+<Data Name="NewUacValue">0x214</Data>
+<Data Name="UserAccountControl">
+		%%2089</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001"></TimeCreated>
+<EventRecordID>118</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001"></TimeCreated>
+<EventRecordID>119</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:24.717855"></TimeCreated>
+<EventRecordID>120</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:24.717855"></TimeCreated>
+<EventRecordID>121</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289"></TimeCreated>
+<EventRecordID>122</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289"></TimeCreated>
+<EventRecordID>123</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000003be29</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">WIN-D9RGPJQ68G8</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289"></TimeCreated>
+<EventRecordID>124</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000003db0a</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">WIN-D9RGPJQ68G8</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289"></TimeCreated>
+<EventRecordID>125</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="796"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x000000000003be29</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:49.529924"></TimeCreated>
+<EventRecordID>126</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:49.529924"></TimeCreated>
+<EventRecordID>127</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="748"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:38:16.402891"></TimeCreated>
+<EventRecordID>128</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="952" ThreadID="2504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:38:15.888088"></TimeCreated>
+<EventRecordID>129</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="476" ThreadID="1828"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000003db0a</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:14.039225"></TimeCreated>
+<EventRecordID>130</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="460"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:14.086025"></TimeCreated>
+<EventRecordID>131</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="460"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.053226"></TimeCreated>
+<EventRecordID>132</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000b8dc</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.193626"></TimeCreated>
+<EventRecordID>133</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.193626"></TimeCreated>
+<EventRecordID>134</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.692829"></TimeCreated>
+<EventRecordID>135</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.692829"></TimeCreated>
+<EventRecordID>136</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.207628"></TimeCreated>
+<EventRecordID>137</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.207628"></TimeCreated>
+<EventRecordID>138</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.660030"></TimeCreated>
+<EventRecordID>139</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.660030"></TimeCreated>
+<EventRecordID>140</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.675631"></TimeCreated>
+<EventRecordID>141</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.675631"></TimeCreated>
+<EventRecordID>142</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:20.216837"></TimeCreated>
+<EventRecordID>143</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:20.216837"></TimeCreated>
+<EventRecordID>144</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:21.418037"></TimeCreated>
+<EventRecordID>145</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="68"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:23.773643"></TimeCreated>
+<EventRecordID>146</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:27.299248"></TimeCreated>
+<EventRecordID>147</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001a667</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:30.717463"></TimeCreated>
+<EventRecordID>148</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1812"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:30.717463"></TimeCreated>
+<EventRecordID>149</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1812"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:31.981066"></TimeCreated>
+<EventRecordID>150</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1812"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:31.981066"></TimeCreated>
+<EventRecordID>151</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1812"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680"></TimeCreated>
+<EventRecordID>152</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000184</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680"></TimeCreated>
+<EventRecordID>153</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000026923</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000184</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680"></TimeCreated>
+<EventRecordID>154</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000026951</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000184</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680"></TimeCreated>
+<EventRecordID>155</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000026923</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.475166"></TimeCreated>
+<EventRecordID>156</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1812"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.475166"></TimeCreated>
+<EventRecordID>157</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1812"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.615566"></TimeCreated>
+<EventRecordID>158</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1648"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.615566"></TimeCreated>
+<EventRecordID>159</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1648"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:18.412384"></TimeCreated>
+<EventRecordID>160</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="2096"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:18.412384"></TimeCreated>
+<EventRecordID>161</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="2096"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:20.799187"></TimeCreated>
+<EventRecordID>162</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1648"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000069adb</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:20.799187"></TimeCreated>
+<EventRecordID>163</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1648"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000069adb</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:36.648815"></TimeCreated>
+<EventRecordID>164</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1856"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000000835e3</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:36.648815"></TimeCreated>
+<EventRecordID>165</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="1856"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000000835e3</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:04:33.457232"></TimeCreated>
+<EventRecordID>166</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:04:33.457232"></TimeCreated>
+<EventRecordID>167</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:12:37.117380"></TimeCreated>
+<EventRecordID>168</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="2320"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:12:37.117380"></TimeCreated>
+<EventRecordID>169</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="2320"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.170641"></TimeCreated>
+<EventRecordID>170</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="2320"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.170641"></TimeCreated>
+<EventRecordID>171</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="2320"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.857042"></TimeCreated>
+<EventRecordID>172</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3756"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.857042"></TimeCreated>
+<EventRecordID>173</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3756"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:25.305864"></TimeCreated>
+<EventRecordID>174</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3116"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001fa262</Data>
+<Data Name="ProcessId">0x0000000000000e6c</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:25.305864"></TimeCreated>
+<EventRecordID>175</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3116"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001fa262</Data>
+<Data Name="ProcessId">0x0000000000000e6c</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:16:01.446539"></TimeCreated>
+<EventRecordID>176</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3116"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:16:01.446539"></TimeCreated>
+<EventRecordID>177</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3116"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:17:19.431074"></TimeCreated>
+<EventRecordID>178</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\winsxs\Temp\PendingRenames\a86dcf49b364d00184220000f80e440b.install.ins</Data>
+<Data Name="HandleId">0x00000000000086e8</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI</Data>
+<Data Name="ProcessId">0x0000000000000ef8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:17:19.431074"></TimeCreated>
+<EventRecordID>179</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\winsxs\Temp\PendingRenames\08cfd149b364d00185220000f80e440b.install.ins</Data>
+<Data Name="HandleId">0x00000000000088b0</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI</Data>
+<Data Name="ProcessId">0x0000000000000ef8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:52.829239"></TimeCreated>
+<EventRecordID>180</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="3116"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000026951</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.356443"></TimeCreated>
+<EventRecordID>181</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\DWrite.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.356443"></TimeCreated>
+<EventRecordID>182</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d2d1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.356443"></TimeCreated>
+<EventRecordID>183</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msmpeg2vdec.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.372044"></TimeCreated>
+<EventRecordID>184</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.372044"></TimeCreated>
+<EventRecordID>185</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.372044"></TimeCreated>
+<EventRecordID>186</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.387644"></TimeCreated>
+<EventRecordID>187</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.387644"></TimeCreated>
+<EventRecordID>188</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\XpsGdiConverter.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.387644"></TimeCreated>
+<EventRecordID>189</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.403244"></TimeCreated>
+<EventRecordID>190</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10warp.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.403244"></TimeCreated>
+<EventRecordID>191</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.403244"></TimeCreated>
+<EventRecordID>192</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\dxgi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.418844"></TimeCreated>
+<EventRecordID>193</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\WMPhoto.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.418844"></TimeCreated>
+<EventRecordID>194</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\FntCache.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.418844"></TimeCreated>
+<EventRecordID>195</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.434444"></TimeCreated>
+<EventRecordID>196</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10_1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.434444"></TimeCreated>
+<EventRecordID>197</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\WindowsCodecsExt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.434444"></TimeCreated>
+<EventRecordID>198</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045"></TimeCreated>
+<EventRecordID>199</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10level9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045"></TimeCreated>
+<EventRecordID>200</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\UIAnimation.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045"></TimeCreated>
+<EventRecordID>201</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045"></TimeCreated>
+<EventRecordID>202</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10_1core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.465645"></TimeCreated>
+<EventRecordID>203</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\XpsPrint.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.465645"></TimeCreated>
+<EventRecordID>204</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.465645"></TimeCreated>
+<EventRecordID>205</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.481245"></TimeCreated>
+<EventRecordID>206</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\WindowsCodecs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.481245"></TimeCreated>
+<EventRecordID>207</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d11.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.481245"></TimeCreated>
+<EventRecordID>208</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.496843"></TimeCreated>
+<EventRecordID>209</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.496843"></TimeCreated>
+<EventRecordID>210</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.496843"></TimeCreated>
+<EventRecordID>211</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.512444"></TimeCreated>
+<EventRecordID>212</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.512444"></TimeCreated>
+<EventRecordID>213</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.512444"></TimeCreated>
+<EventRecordID>214</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.528044"></TimeCreated>
+<EventRecordID>215</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.528044"></TimeCreated>
+<EventRecordID>216</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.528044"></TimeCreated>
+<EventRecordID>217</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.543644"></TimeCreated>
+<EventRecordID>218</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.543644"></TimeCreated>
+<EventRecordID>219</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.543644"></TimeCreated>
+<EventRecordID>220</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.559244"></TimeCreated>
+<EventRecordID>221</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.559244"></TimeCreated>
+<EventRecordID>222</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.559244"></TimeCreated>
+<EventRecordID>223</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.574844"></TimeCreated>
+<EventRecordID>224</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.574844"></TimeCreated>
+<EventRecordID>225</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.574844"></TimeCreated>
+<EventRecordID>226</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.590445"></TimeCreated>
+<EventRecordID>227</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.590445"></TimeCreated>
+<EventRecordID>228</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045"></TimeCreated>
+<EventRecordID>229</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045"></TimeCreated>
+<EventRecordID>230</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045"></TimeCreated>
+<EventRecordID>231</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045"></TimeCreated>
+<EventRecordID>232</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.621645"></TimeCreated>
+<EventRecordID>233</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.621645"></TimeCreated>
+<EventRecordID>234</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.621645"></TimeCreated>
+<EventRecordID>235</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243"></TimeCreated>
+<EventRecordID>236</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243"></TimeCreated>
+<EventRecordID>237</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243"></TimeCreated>
+<EventRecordID>238</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243"></TimeCreated>
+<EventRecordID>239</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.652843"></TimeCreated>
+<EventRecordID>240</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.652843"></TimeCreated>
+<EventRecordID>241</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.668444"></TimeCreated>
+<EventRecordID>242</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.668444"></TimeCreated>
+<EventRecordID>243</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.668444"></TimeCreated>
+<EventRecordID>244</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.684044"></TimeCreated>
+<EventRecordID>245</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.684044"></TimeCreated>
+<EventRecordID>246</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.684044"></TimeCreated>
+<EventRecordID>247</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.699644"></TimeCreated>
+<EventRecordID>248</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.699644"></TimeCreated>
+<EventRecordID>249</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.699644"></TimeCreated>
+<EventRecordID>250</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244"></TimeCreated>
+<EventRecordID>251</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244"></TimeCreated>
+<EventRecordID>252</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244"></TimeCreated>
+<EventRecordID>253</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244"></TimeCreated>
+<EventRecordID>254</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844"></TimeCreated>
+<EventRecordID>255</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844"></TimeCreated>
+<EventRecordID>256</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844"></TimeCreated>
+<EventRecordID>257</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844"></TimeCreated>
+<EventRecordID>258</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445"></TimeCreated>
+<EventRecordID>259</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445"></TimeCreated>
+<EventRecordID>260</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445"></TimeCreated>
+<EventRecordID>261</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445"></TimeCreated>
+<EventRecordID>262</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045"></TimeCreated>
+<EventRecordID>263</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045"></TimeCreated>
+<EventRecordID>264</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045"></TimeCreated>
+<EventRecordID>265</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045"></TimeCreated>
+<EventRecordID>266</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.777645"></TimeCreated>
+<EventRecordID>267</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.777645"></TimeCreated>
+<EventRecordID>268</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.777645"></TimeCreated>
+<EventRecordID>269</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243"></TimeCreated>
+<EventRecordID>270</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243"></TimeCreated>
+<EventRecordID>271</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243"></TimeCreated>
+<EventRecordID>272</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243"></TimeCreated>
+<EventRecordID>273</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.808844"></TimeCreated>
+<EventRecordID>274</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.808844"></TimeCreated>
+<EventRecordID>275</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.808844"></TimeCreated>
+<EventRecordID>276</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.824444"></TimeCreated>
+<EventRecordID>277</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.824444"></TimeCreated>
+<EventRecordID>278</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.824444"></TimeCreated>
+<EventRecordID>279</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044"></TimeCreated>
+<EventRecordID>280</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044"></TimeCreated>
+<EventRecordID>281</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044"></TimeCreated>
+<EventRecordID>282</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044"></TimeCreated>
+<EventRecordID>283</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644"></TimeCreated>
+<EventRecordID>284</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644"></TimeCreated>
+<EventRecordID>285</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644"></TimeCreated>
+<EventRecordID>286</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644"></TimeCreated>
+<EventRecordID>287</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246"></TimeCreated>
+<EventRecordID>288</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246"></TimeCreated>
+<EventRecordID>289</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246"></TimeCreated>
+<EventRecordID>290</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246"></TimeCreated>
+<EventRecordID>291</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.886847"></TimeCreated>
+<EventRecordID>292</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.886847"></TimeCreated>
+<EventRecordID>293</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.886847"></TimeCreated>
+<EventRecordID>294</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447"></TimeCreated>
+<EventRecordID>295</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447"></TimeCreated>
+<EventRecordID>296</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447"></TimeCreated>
+<EventRecordID>297</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447"></TimeCreated>
+<EventRecordID>298</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045"></TimeCreated>
+<EventRecordID>299</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045"></TimeCreated>
+<EventRecordID>300</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045"></TimeCreated>
+<EventRecordID>301</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045"></TimeCreated>
+<EventRecordID>302</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.933645"></TimeCreated>
+<EventRecordID>303</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.933645"></TimeCreated>
+<EventRecordID>304</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.933645"></TimeCreated>
+<EventRecordID>305</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.949245"></TimeCreated>
+<EventRecordID>306</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.949245"></TimeCreated>
+<EventRecordID>307</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.949245"></TimeCreated>
+<EventRecordID>308</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\DWrite.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.964846"></TimeCreated>
+<EventRecordID>309</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d2d1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.964846"></TimeCreated>
+<EventRecordID>310</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msmpeg2vdec.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.964846"></TimeCreated>
+<EventRecordID>311</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.980446"></TimeCreated>
+<EventRecordID>312</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.980446"></TimeCreated>
+<EventRecordID>313</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.996046"></TimeCreated>
+<EventRecordID>314</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.996046"></TimeCreated>
+<EventRecordID>315</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\XpsGdiConverter.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.996046"></TimeCreated>
+<EventRecordID>316</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.011646"></TimeCreated>
+<EventRecordID>317</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10warp.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.011646"></TimeCreated>
+<EventRecordID>318</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\dxgi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.011646"></TimeCreated>
+<EventRecordID>319</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.027246"></TimeCreated>
+<EventRecordID>320</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\WMPhoto.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.027246"></TimeCreated>
+<EventRecordID>321</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.042847"></TimeCreated>
+<EventRecordID>322</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10_1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.042847"></TimeCreated>
+<EventRecordID>323</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10level9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045"></TimeCreated>
+<EventRecordID>324</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\WindowsCodecsExt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045"></TimeCreated>
+<EventRecordID>325</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045"></TimeCreated>
+<EventRecordID>326</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045"></TimeCreated>
+<EventRecordID>327</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\UIAnimation.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645"></TimeCreated>
+<EventRecordID>328</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10_1core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645"></TimeCreated>
+<EventRecordID>329</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\XpsPrint.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645"></TimeCreated>
+<EventRecordID>330</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645"></TimeCreated>
+<EventRecordID>331</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.105246"></TimeCreated>
+<EventRecordID>332</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\WindowsCodecs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.105246"></TimeCreated>
+<EventRecordID>333</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d11.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846"></TimeCreated>
+<EventRecordID>334</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846"></TimeCreated>
+<EventRecordID>335</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846"></TimeCreated>
+<EventRecordID>336</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846"></TimeCreated>
+<EventRecordID>337</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446"></TimeCreated>
+<EventRecordID>338</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446"></TimeCreated>
+<EventRecordID>339</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446"></TimeCreated>
+<EventRecordID>340</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446"></TimeCreated>
+<EventRecordID>341</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.152046"></TimeCreated>
+<EventRecordID>342</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.152046"></TimeCreated>
+<EventRecordID>343</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247"></TimeCreated>
+<EventRecordID>344</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247"></TimeCreated>
+<EventRecordID>345</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247"></TimeCreated>
+<EventRecordID>346</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247"></TimeCreated>
+<EventRecordID>347</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247"></TimeCreated>
+<EventRecordID>348</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845"></TimeCreated>
+<EventRecordID>349</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845"></TimeCreated>
+<EventRecordID>350</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845"></TimeCreated>
+<EventRecordID>351</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845"></TimeCreated>
+<EventRecordID>352</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845"></TimeCreated>
+<EventRecordID>353</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445"></TimeCreated>
+<EventRecordID>354</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445"></TimeCreated>
+<EventRecordID>355</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445"></TimeCreated>
+<EventRecordID>356</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445"></TimeCreated>
+<EventRecordID>357</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045"></TimeCreated>
+<EventRecordID>358</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045"></TimeCreated>
+<EventRecordID>359</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045"></TimeCreated>
+<EventRecordID>360</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045"></TimeCreated>
+<EventRecordID>361</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646"></TimeCreated>
+<EventRecordID>362</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646"></TimeCreated>
+<EventRecordID>363</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646"></TimeCreated>
+<EventRecordID>364</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646"></TimeCreated>
+<EventRecordID>365</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246"></TimeCreated>
+<EventRecordID>366</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246"></TimeCreated>
+<EventRecordID>367</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246"></TimeCreated>
+<EventRecordID>368</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246"></TimeCreated>
+<EventRecordID>369</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246"></TimeCreated>
+<EventRecordID>370</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846"></TimeCreated>
+<EventRecordID>371</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846"></TimeCreated>
+<EventRecordID>372</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846"></TimeCreated>
+<EventRecordID>373</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846"></TimeCreated>
+<EventRecordID>374</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846"></TimeCreated>
+<EventRecordID>375</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446"></TimeCreated>
+<EventRecordID>376</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446"></TimeCreated>
+<EventRecordID>377</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446"></TimeCreated>
+<EventRecordID>378</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446"></TimeCreated>
+<EventRecordID>379</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046"></TimeCreated>
+<EventRecordID>380</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046"></TimeCreated>
+<EventRecordID>381</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046"></TimeCreated>
+<EventRecordID>382</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046"></TimeCreated>
+<EventRecordID>383</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647"></TimeCreated>
+<EventRecordID>384</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647"></TimeCreated>
+<EventRecordID>385</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647"></TimeCreated>
+<EventRecordID>386</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647"></TimeCreated>
+<EventRecordID>387</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247"></TimeCreated>
+<EventRecordID>388</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247"></TimeCreated>
+<EventRecordID>389</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247"></TimeCreated>
+<EventRecordID>390</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247"></TimeCreated>
+<EventRecordID>391</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845"></TimeCreated>
+<EventRecordID>392</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845"></TimeCreated>
+<EventRecordID>393</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845"></TimeCreated>
+<EventRecordID>394</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845"></TimeCreated>
+<EventRecordID>395</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445"></TimeCreated>
+<EventRecordID>396</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445"></TimeCreated>
+<EventRecordID>397</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445"></TimeCreated>
+<EventRecordID>398</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445"></TimeCreated>
+<EventRecordID>399</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445"></TimeCreated>
+<EventRecordID>400</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045"></TimeCreated>
+<EventRecordID>401</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045"></TimeCreated>
+<EventRecordID>402</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045"></TimeCreated>
+<EventRecordID>403</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045"></TimeCreated>
+<EventRecordID>404</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646"></TimeCreated>
+<EventRecordID>405</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646"></TimeCreated>
+<EventRecordID>406</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646"></TimeCreated>
+<EventRecordID>407</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646"></TimeCreated>
+<EventRecordID>408</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.417246"></TimeCreated>
+<EventRecordID>409</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.417246"></TimeCreated>
+<EventRecordID>410</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.588846"></TimeCreated>
+<EventRecordID>411</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.588846"></TimeCreated>
+<EventRecordID>412</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.604446"></TimeCreated>
+<EventRecordID>413</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntkrnlpa.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.698046"></TimeCreated>
+<EventRecordID>414</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.698046"></TimeCreated>
+<EventRecordID>415</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.713646"></TimeCreated>
+<EventRecordID>416</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.713646"></TimeCreated>
+<EventRecordID>417</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.713646"></TimeCreated>
+<EventRecordID>418</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.729248"></TimeCreated>
+<EventRecordID>419</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.729248"></TimeCreated>
+<EventRecordID>420</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.729248"></TimeCreated>
+<EventRecordID>421</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.885248"></TimeCreated>
+<EventRecordID>422</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.900846"></TimeCreated>
+<EventRecordID>423</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.900846"></TimeCreated>
+<EventRecordID>424</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.900846"></TimeCreated>
+<EventRecordID>425</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.916447"></TimeCreated>
+<EventRecordID>426</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.916447"></TimeCreated>
+<EventRecordID>427</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.916447"></TimeCreated>
+<EventRecordID>428</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.932047"></TimeCreated>
+<EventRecordID>429</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.932047"></TimeCreated>
+<EventRecordID>430</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.932047"></TimeCreated>
+<EventRecordID>431</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647"></TimeCreated>
+<EventRecordID>432</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647"></TimeCreated>
+<EventRecordID>433</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647"></TimeCreated>
+<EventRecordID>434</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647"></TimeCreated>
+<EventRecordID>435</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.963247"></TimeCreated>
+<EventRecordID>436</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.963247"></TimeCreated>
+<EventRecordID>437</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.963247"></TimeCreated>
+<EventRecordID>438</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.978848"></TimeCreated>
+<EventRecordID>439</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.978848"></TimeCreated>
+<EventRecordID>440</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.978848"></TimeCreated>
+<EventRecordID>441</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.994448"></TimeCreated>
+<EventRecordID>442</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.994448"></TimeCreated>
+<EventRecordID>443</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.994448"></TimeCreated>
+<EventRecordID>444</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.010048"></TimeCreated>
+<EventRecordID>445</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.010048"></TimeCreated>
+<EventRecordID>446</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.010048"></TimeCreated>
+<EventRecordID>447</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.025648"></TimeCreated>
+<EventRecordID>448</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.025648"></TimeCreated>
+<EventRecordID>449</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.025648"></TimeCreated>
+<EventRecordID>450</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.041248"></TimeCreated>
+<EventRecordID>451</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.041248"></TimeCreated>
+<EventRecordID>452</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.041248"></TimeCreated>
+<EventRecordID>453</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847"></TimeCreated>
+<EventRecordID>454</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847"></TimeCreated>
+<EventRecordID>455</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847"></TimeCreated>
+<EventRecordID>456</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847"></TimeCreated>
+<EventRecordID>457</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.072447"></TimeCreated>
+<EventRecordID>458</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.072447"></TimeCreated>
+<EventRecordID>459</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.072447"></TimeCreated>
+<EventRecordID>460</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047"></TimeCreated>
+<EventRecordID>461</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047"></TimeCreated>
+<EventRecordID>462</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047"></TimeCreated>
+<EventRecordID>463</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047"></TimeCreated>
+<EventRecordID>464</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.103647"></TimeCreated>
+<EventRecordID>465</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.103647"></TimeCreated>
+<EventRecordID>466</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.103647"></TimeCreated>
+<EventRecordID>467</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247"></TimeCreated>
+<EventRecordID>468</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247"></TimeCreated>
+<EventRecordID>469</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247"></TimeCreated>
+<EventRecordID>470</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247"></TimeCreated>
+<EventRecordID>471</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848"></TimeCreated>
+<EventRecordID>472</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848"></TimeCreated>
+<EventRecordID>473</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848"></TimeCreated>
+<EventRecordID>474</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848"></TimeCreated>
+<EventRecordID>475</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.150448"></TimeCreated>
+<EventRecordID>476</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.150448"></TimeCreated>
+<EventRecordID>477</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.150448"></TimeCreated>
+<EventRecordID>478</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.166048"></TimeCreated>
+<EventRecordID>479</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.166048"></TimeCreated>
+<EventRecordID>480</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.166048"></TimeCreated>
+<EventRecordID>481</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648"></TimeCreated>
+<EventRecordID>482</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648"></TimeCreated>
+<EventRecordID>483</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648"></TimeCreated>
+<EventRecordID>484</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648"></TimeCreated>
+<EventRecordID>485</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.384447"></TimeCreated>
+<EventRecordID>486</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.446848"></TimeCreated>
+<EventRecordID>487</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.462448"></TimeCreated>
+<EventRecordID>488</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.462448"></TimeCreated>
+<EventRecordID>489</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.462448"></TimeCreated>
+<EventRecordID>490</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.478048"></TimeCreated>
+<EventRecordID>491</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.478048"></TimeCreated>
+<EventRecordID>492</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.493647"></TimeCreated>
+<EventRecordID>493</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.493647"></TimeCreated>
+<EventRecordID>494</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.493647"></TimeCreated>
+<EventRecordID>495</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.509247"></TimeCreated>
+<EventRecordID>496</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.509247"></TimeCreated>
+<EventRecordID>497</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.509247"></TimeCreated>
+<EventRecordID>498</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.524847"></TimeCreated>
+<EventRecordID>499</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.524847"></TimeCreated>
+<EventRecordID>500</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.540447"></TimeCreated>
+<EventRecordID>501</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.540447"></TimeCreated>
+<EventRecordID>502</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.540447"></TimeCreated>
+<EventRecordID>503</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.556047"></TimeCreated>
+<EventRecordID>504</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.556047"></TimeCreated>
+<EventRecordID>505</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.556047"></TimeCreated>
+<EventRecordID>506</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.571648"></TimeCreated>
+<EventRecordID>507</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.571648"></TimeCreated>
+<EventRecordID>508</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248"></TimeCreated>
+<EventRecordID>509</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248"></TimeCreated>
+<EventRecordID>510</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248"></TimeCreated>
+<EventRecordID>511</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248"></TimeCreated>
+<EventRecordID>512</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.602848"></TimeCreated>
+<EventRecordID>513</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.602848"></TimeCreated>
+<EventRecordID>514</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.618448"></TimeCreated>
+<EventRecordID>515</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.712049"></TimeCreated>
+<EventRecordID>516</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650"></TimeCreated>
+<EventRecordID>517</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650"></TimeCreated>
+<EventRecordID>518</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650"></TimeCreated>
+<EventRecordID>519</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650"></TimeCreated>
+<EventRecordID>520</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.743250"></TimeCreated>
+<EventRecordID>521</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.743250"></TimeCreated>
+<EventRecordID>522</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.743250"></TimeCreated>
+<EventRecordID>523</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\KernelBase.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.758848"></TimeCreated>
+<EventRecordID>524</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.758848"></TimeCreated>
+<EventRecordID>525</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.758848"></TimeCreated>
+<EventRecordID>526</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448"></TimeCreated>
+<EventRecordID>527</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448"></TimeCreated>
+<EventRecordID>528</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448"></TimeCreated>
+<EventRecordID>529</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448"></TimeCreated>
+<EventRecordID>530</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049"></TimeCreated>
+<EventRecordID>531</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049"></TimeCreated>
+<EventRecordID>532</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049"></TimeCreated>
+<EventRecordID>533</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049"></TimeCreated>
+<EventRecordID>534</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649"></TimeCreated>
+<EventRecordID>535</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649"></TimeCreated>
+<EventRecordID>536</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649"></TimeCreated>
+<EventRecordID>537</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649"></TimeCreated>
+<EventRecordID>538</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.821249"></TimeCreated>
+<EventRecordID>539</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.821249"></TimeCreated>
+<EventRecordID>540</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.821249"></TimeCreated>
+<EventRecordID>541</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849"></TimeCreated>
+<EventRecordID>542</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849"></TimeCreated>
+<EventRecordID>543</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849"></TimeCreated>
+<EventRecordID>544</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849"></TimeCreated>
+<EventRecordID>545</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449"></TimeCreated>
+<EventRecordID>546</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449"></TimeCreated>
+<EventRecordID>547</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449"></TimeCreated>
+<EventRecordID>548</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449"></TimeCreated>
+<EventRecordID>549</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.868050"></TimeCreated>
+<EventRecordID>550</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.868050"></TimeCreated>
+<EventRecordID>551</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.868050"></TimeCreated>
+<EventRecordID>552</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650"></TimeCreated>
+<EventRecordID>553</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650"></TimeCreated>
+<EventRecordID>554</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650"></TimeCreated>
+<EventRecordID>555</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650"></TimeCreated>
+<EventRecordID>556</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.899248"></TimeCreated>
+<EventRecordID>557</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.899248"></TimeCreated>
+<EventRecordID>558</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.899248"></TimeCreated>
+<EventRecordID>559</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\KernelBase.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.024050"></TimeCreated>
+<EventRecordID>560</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\seguisym.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.024050"></TimeCreated>
+<EventRecordID>561</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeui.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.024050"></TimeCreated>
+<EventRecordID>562</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeuiz.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.039648"></TimeCreated>
+<EventRecordID>563</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeuib.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.039648"></TimeCreated>
+<EventRecordID>564</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeuii.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.148849"></TimeCreated>
+<EventRecordID>565</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\taskhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.148849"></TimeCreated>
+<EventRecordID>566</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\afd.sys</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.148849"></TimeCreated>
+<EventRecordID>567</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\FWPKCLNT.SYS</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.164450"></TimeCreated>
+<EventRecordID>568</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\tcpip.sys</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.164450"></TimeCreated>
+<EventRecordID>569</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\netio.sys</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.195648"></TimeCreated>
+<EventRecordID>570</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mswsock.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.195648"></TimeCreated>
+<EventRecordID>571</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mswsock.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.320450"></TimeCreated>
+<EventRecordID>572</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\smss.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.336048"></TimeCreated>
+<EventRecordID>573</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\csrsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.336048"></TimeCreated>
+<EventRecordID>574</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntdll.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.351648"></TimeCreated>
+<EventRecordID>575</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.351648"></TimeCreated>
+<EventRecordID>576</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\apisetschema.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.367249"></TimeCreated>
+<EventRecordID>577</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntdll.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.367249"></TimeCreated>
+<EventRecordID>578</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.367249"></TimeCreated>
+<EventRecordID>579</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntkrnlpa.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.398449"></TimeCreated>
+<EventRecordID>580</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.414049"></TimeCreated>
+<EventRecordID>581</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tdh.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.414049"></TimeCreated>
+<EventRecordID>582</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.414049"></TimeCreated>
+<EventRecordID>583</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250"></TimeCreated>
+<EventRecordID>584</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250"></TimeCreated>
+<EventRecordID>585</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250"></TimeCreated>
+<EventRecordID>586</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250"></TimeCreated>
+<EventRecordID>587</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850"></TimeCreated>
+<EventRecordID>588</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850"></TimeCreated>
+<EventRecordID>589</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850"></TimeCreated>
+<EventRecordID>590</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850"></TimeCreated>
+<EventRecordID>591</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448"></TimeCreated>
+<EventRecordID>592</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448"></TimeCreated>
+<EventRecordID>593</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448"></TimeCreated>
+<EventRecordID>594</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448"></TimeCreated>
+<EventRecordID>595</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048"></TimeCreated>
+<EventRecordID>596</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048"></TimeCreated>
+<EventRecordID>597</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048"></TimeCreated>
+<EventRecordID>598</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048"></TimeCreated>
+<EventRecordID>599</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648"></TimeCreated>
+<EventRecordID>600</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648"></TimeCreated>
+<EventRecordID>601</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648"></TimeCreated>
+<EventRecordID>602</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648"></TimeCreated>
+<EventRecordID>603</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.523249"></TimeCreated>
+<EventRecordID>604</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\advapi32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.523249"></TimeCreated>
+<EventRecordID>605</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.523249"></TimeCreated>
+<EventRecordID>606</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849"></TimeCreated>
+<EventRecordID>607</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849"></TimeCreated>
+<EventRecordID>608</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849"></TimeCreated>
+<EventRecordID>609</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849"></TimeCreated>
+<EventRecordID>610</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451"></TimeCreated>
+<EventRecordID>611</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451"></TimeCreated>
+<EventRecordID>612</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451"></TimeCreated>
+<EventRecordID>613</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451"></TimeCreated>
+<EventRecordID>614</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451"></TimeCreated>
+<EventRecordID>615</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051"></TimeCreated>
+<EventRecordID>616</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051"></TimeCreated>
+<EventRecordID>617</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051"></TimeCreated>
+<EventRecordID>618</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051"></TimeCreated>
+<EventRecordID>619</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.585651"></TimeCreated>
+<EventRecordID>620</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tdh.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.585651"></TimeCreated>
+<EventRecordID>621</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.585651"></TimeCreated>
+<EventRecordID>622</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250"></TimeCreated>
+<EventRecordID>623</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250"></TimeCreated>
+<EventRecordID>624</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250"></TimeCreated>
+<EventRecordID>625</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250"></TimeCreated>
+<EventRecordID>626</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850"></TimeCreated>
+<EventRecordID>627</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850"></TimeCreated>
+<EventRecordID>628</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850"></TimeCreated>
+<EventRecordID>629</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850"></TimeCreated>
+<EventRecordID>630</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450"></TimeCreated>
+<EventRecordID>631</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450"></TimeCreated>
+<EventRecordID>632</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450"></TimeCreated>
+<EventRecordID>633</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450"></TimeCreated>
+<EventRecordID>634</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050"></TimeCreated>
+<EventRecordID>635</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050"></TimeCreated>
+<EventRecordID>636</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050"></TimeCreated>
+<EventRecordID>637</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050"></TimeCreated>
+<EventRecordID>638</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.663651"></TimeCreated>
+<EventRecordID>639</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.663651"></TimeCreated>
+<EventRecordID>640</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.663651"></TimeCreated>
+<EventRecordID>641</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251"></TimeCreated>
+<EventRecordID>642</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\advapi32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251"></TimeCreated>
+<EventRecordID>643</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251"></TimeCreated>
+<EventRecordID>644</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251"></TimeCreated>
+<EventRecordID>645</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851"></TimeCreated>
+<EventRecordID>646</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851"></TimeCreated>
+<EventRecordID>647</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851"></TimeCreated>
+<EventRecordID>648</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851"></TimeCreated>
+<EventRecordID>649</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451"></TimeCreated>
+<EventRecordID>650</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451"></TimeCreated>
+<EventRecordID>651</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451"></TimeCreated>
+<EventRecordID>652</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451"></TimeCreated>
+<EventRecordID>653</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.726051"></TimeCreated>
+<EventRecordID>654</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.726051"></TimeCreated>
+<EventRecordID>655</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050"></TimeCreated>
+<EventRecordID>656</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050"></TimeCreated>
+<EventRecordID>657</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\D3DCompiler_47.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050"></TimeCreated>
+<EventRecordID>658</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050"></TimeCreated>
+<EventRecordID>659</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ie9props.propdesc</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.053650"></TimeCreated>
+<EventRecordID>660</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\JSProfilerCore.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.053650"></TimeCreated>
+<EventRecordID>661</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsprofilerui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250"></TimeCreated>
+<EventRecordID>662</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\pdm.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250"></TimeCreated>
+<EventRecordID>663</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\pdmproxy100.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250"></TimeCreated>
+<EventRecordID>664</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250"></TimeCreated>
+<EventRecordID>665</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ExtExport.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.084850"></TimeCreated>
+<EventRecordID>666</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\sqmapi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.084850"></TimeCreated>
+<EventRecordID>667</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.100451"></TimeCreated>
+<EventRecordID>668</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsdbgui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.100451"></TimeCreated>
+<EventRecordID>669</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\msdbg2.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.100451"></TimeCreated>
+<EventRecordID>670</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\networkinspection.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051"></TimeCreated>
+<EventRecordID>671</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\iedvtool.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051"></TimeCreated>
+<EventRecordID>672</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051"></TimeCreated>
+<EventRecordID>673</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ieproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051"></TimeCreated>
+<EventRecordID>674</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ieinstal.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.131651"></TimeCreated>
+<EventRecordID>675</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\F12Tools.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.131651"></TimeCreated>
+<EventRecordID>676</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\IEShims.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.131651"></TimeCreated>
+<EventRecordID>677</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd">S:AI</Data>
+<Data Name="NewSd"></Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.147251"></TimeCreated>
+<EventRecordID>678</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.194050"></TimeCreated>
+<EventRecordID>679</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.209650"></TimeCreated>
+<EventRecordID>680</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.209650"></TimeCreated>
+<EventRecordID>681</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\iedvtool.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250"></TimeCreated>
+<EventRecordID>682</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\DiagnosticsTap.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250"></TimeCreated>
+<EventRecordID>683</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250"></TimeCreated>
+<EventRecordID>684</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250"></TimeCreated>
+<EventRecordID>685</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\networkinspection.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.240850"></TimeCreated>
+<EventRecordID>686</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.240850"></TimeCreated>
+<EventRecordID>687</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451"></TimeCreated>
+<EventRecordID>688</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451"></TimeCreated>
+<EventRecordID>689</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline_is.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451"></TimeCreated>
+<EventRecordID>690</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\pdm.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451"></TimeCreated>
+<EventRecordID>691</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\msdbg2.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.272051"></TimeCreated>
+<EventRecordID>692</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.272051"></TimeCreated>
+<EventRecordID>693</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\JSProfilerCore.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651"></TimeCreated>
+<EventRecordID>694</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ielowutil.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651"></TimeCreated>
+<EventRecordID>695</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ieinstal.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651"></TimeCreated>
+<EventRecordID>696</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\IEShims.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651"></TimeCreated>
+<EventRecordID>697</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\pdmproxy100.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.303251"></TimeCreated>
+<EventRecordID>698</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\perfcore.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.303251"></TimeCreated>
+<EventRecordID>699</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\D3DCompiler_47.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.303251"></TimeCreated>
+<EventRecordID>700</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\iedvtool.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.318851"></TimeCreated>
+<EventRecordID>701</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ieproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.318851"></TimeCreated>
+<EventRecordID>702</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsTap.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.318851"></TimeCreated>
+<EventRecordID>703</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\iediagcmd.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450"></TimeCreated>
+<EventRecordID>704</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\perf_nt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450"></TimeCreated>
+<EventRecordID>705</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450"></TimeCreated>
+<EventRecordID>706</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\F12Tools.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450"></TimeCreated>
+<EventRecordID>707</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\jsdebuggeride.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.412451"></TimeCreated>
+<EventRecordID>708</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\networkinspection.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.412451"></TimeCreated>
+<EventRecordID>709</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\jsprofilerui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.412451"></TimeCreated>
+<EventRecordID>710</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub.ScriptedSandboxPlugin.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.428051"></TimeCreated>
+<EventRecordID>711</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\MemoryAnalyzer.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.428051"></TimeCreated>
+<EventRecordID>712</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\F12Resources.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.428051"></TimeCreated>
+<EventRecordID>713</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ie9props.propdesc</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651"></TimeCreated>
+<EventRecordID>714</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\jsdbgui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651"></TimeCreated>
+<EventRecordID>715</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\F12.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651"></TimeCreated>
+<EventRecordID>716</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651"></TimeCreated>
+<EventRecordID>717</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline.cpu.xml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.459251"></TimeCreated>
+<EventRecordID>718</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\sqmapi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.459251"></TimeCreated>
+<EventRecordID>719</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.459251"></TimeCreated>
+<EventRecordID>720</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.474850"></TimeCreated>
+<EventRecordID>721</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.474850"></TimeCreated>
+<EventRecordID>722</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.474850"></TimeCreated>
+<EventRecordID>723</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.490450"></TimeCreated>
+<EventRecordID>724</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.506050"></TimeCreated>
+<EventRecordID>725</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.506050"></TimeCreated>
+<EventRecordID>726</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.506050"></TimeCreated>
+<EventRecordID>727</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.521652"></TimeCreated>
+<EventRecordID>728</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\eula.rtf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.599651"></TimeCreated>
+<EventRecordID>729</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.599651"></TimeCreated>
+<EventRecordID>730</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\images\bing.ico</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.599651"></TimeCreated>
+<EventRecordID>731</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\SIGNUP\install.ins</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd">S:AI</Data>
+<Data Name="NewSd"></Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.615252"></TimeCreated>
+<EventRecordID>732</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieapfltr.dat</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.615252"></TimeCreated>
+<EventRecordID>733</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\url.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.630852"></TimeCreated>
+<EventRecordID>734</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshta.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.630852"></TimeCreated>
+<EventRecordID>735</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jsproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.630852"></TimeCreated>
+<EventRecordID>736</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieUnatt.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452"></TimeCreated>
+<EventRecordID>737</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452"></TimeCreated>
+<EventRecordID>738</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtmlmedia.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452"></TimeCreated>
+<EventRecordID>739</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieetwproxystub.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452"></TimeCreated>
+<EventRecordID>740</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jsIntl.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452"></TimeCreated>
+<EventRecordID>741</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\RegisterIEPKEYs.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.662052"></TimeCreated>
+<EventRecordID>742</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iepeers.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.662052"></TimeCreated>
+<EventRecordID>743</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\elshyph.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.662052"></TimeCreated>
+<EventRecordID>744</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieframe.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.677652"></TimeCreated>
+<EventRecordID>745</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ie4uinit.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.677652"></TimeCreated>
+<EventRecordID>746</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\licmgr10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.693253"></TimeCreated>
+<EventRecordID>747</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtmler.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.693253"></TimeCreated>
+<EventRecordID>748</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iexpress.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.693253"></TimeCreated>
+<EventRecordID>749</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\IEAdvpack.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.708853"></TimeCreated>
+<EventRecordID>750</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\dxtrans.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.802452"></TimeCreated>
+<EventRecordID>751</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wextract.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.818052"></TimeCreated>
+<EventRecordID>752</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieetwcollectorres.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.818052"></TimeCreated>
+<EventRecordID>753</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\SetIEInstalledDate.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.833652"></TimeCreated>
+<EventRecordID>754</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wininet.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.833652"></TimeCreated>
+<EventRecordID>755</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\MshtmlDac.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.849253"></TimeCreated>
+<EventRecordID>756</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.849253"></TimeCreated>
+<EventRecordID>757</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\JavaScriptCollectionAgent.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.849253"></TimeCreated>
+<EventRecordID>758</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msfeedssync.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.864853"></TimeCreated>
+<EventRecordID>759</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\webcheck.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.864853"></TimeCreated>
+<EventRecordID>760</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\MsSpellCheckingFacility.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.880453"></TimeCreated>
+<EventRecordID>761</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\icardie.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.880453"></TimeCreated>
+<EventRecordID>762</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iertutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.896051"></TimeCreated>
+<EventRecordID>763</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pngfilt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.896051"></TimeCreated>
+<EventRecordID>764</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msls31.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.911652"></TimeCreated>
+<EventRecordID>765</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieetwcollector.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.911652"></TimeCreated>
+<EventRecordID>766</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jscript9diag.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.927252"></TimeCreated>
+<EventRecordID>767</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iedkcs32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.942852"></TimeCreated>
+<EventRecordID>768</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iesetup.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.942852"></TimeCreated>
+<EventRecordID>769</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iernonce.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.942852"></TimeCreated>
+<EventRecordID>770</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\vbscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.958452"></TimeCreated>
+<EventRecordID>771</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\inseng.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.958452"></TimeCreated>
+<EventRecordID>772</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iesysprep.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052"></TimeCreated>
+<EventRecordID>773</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\inetcpl.cpl</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052"></TimeCreated>
+<EventRecordID>774</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jscript9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052"></TimeCreated>
+<EventRecordID>775</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\occache.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052"></TimeCreated>
+<EventRecordID>776</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieapfltr.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.989653"></TimeCreated>
+<EventRecordID>777</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\html.iec</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.989653"></TimeCreated>
+<EventRecordID>778</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\imgutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.005253"></TimeCreated>
+<EventRecordID>779</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msfeeds.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.005253"></TimeCreated>
+<EventRecordID>780</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieuinit.inf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.005253"></TimeCreated>
+<EventRecordID>781</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tdc.ocx</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.020853"></TimeCreated>
+<EventRecordID>782</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtml.tlb</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.020853"></TimeCreated>
+<EventRecordID>783</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtml.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.036451"></TimeCreated>
+<EventRecordID>784</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtmled.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.036451"></TimeCreated>
+<EventRecordID>785</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\urlmon.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.052052"></TimeCreated>
+<EventRecordID>786</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msfeedsbs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.052052"></TimeCreated>
+<EventRecordID>787</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msrating.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.052052"></TimeCreated>
+<EventRecordID>788</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\dxtmsft.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.067652"></TimeCreated>
+<EventRecordID>789</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iesetup.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.067652"></TimeCreated>
+<EventRecordID>790</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshtmlmedia.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.083252"></TimeCreated>
+<EventRecordID>791</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\icardie.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.098852"></TimeCreated>
+<EventRecordID>792</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iepeers.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053"></TimeCreated>
+<EventRecordID>793</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\IEAdvpack.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053"></TimeCreated>
+<EventRecordID>794</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\jsIntl.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053"></TimeCreated>
+<EventRecordID>795</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\occache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053"></TimeCreated>
+<EventRecordID>796</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\MsSpellCheckingFacility.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.145653"></TimeCreated>
+<EventRecordID>797</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\wextract.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.145653"></TimeCreated>
+<EventRecordID>798</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieunatt.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.145653"></TimeCreated>
+<EventRecordID>799</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ie4uinit.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.161253"></TimeCreated>
+<EventRecordID>800</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iernonce.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.161253"></TimeCreated>
+<EventRecordID>801</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\elshyph.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.161253"></TimeCreated>
+<EventRecordID>802</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\jscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.176851"></TimeCreated>
+<EventRecordID>803</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\msrating.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.176851"></TimeCreated>
+<EventRecordID>804</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieframe.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.176851"></TimeCreated>
+<EventRecordID>805</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\msfeedsbs.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.192451"></TimeCreated>
+<EventRecordID>806</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\vbscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.192451"></TimeCreated>
+<EventRecordID>807</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.208052"></TimeCreated>
+<EventRecordID>808</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\html.iec.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.208052"></TimeCreated>
+<EventRecordID>809</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iexpress.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.223652"></TimeCreated>
+<EventRecordID>810</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshtmler.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.223652"></TimeCreated>
+<EventRecordID>811</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\urlmon.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.223652"></TimeCreated>
+<EventRecordID>812</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\jscript9.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.239252"></TimeCreated>
+<EventRecordID>813</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iedkcs32.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.239252"></TimeCreated>
+<EventRecordID>814</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\webcheck.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.239252"></TimeCreated>
+<EventRecordID>815</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\wininet.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.254852"></TimeCreated>
+<EventRecordID>816</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshta.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.254852"></TimeCreated>
+<EventRecordID>817</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\licmgr10.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.270452"></TimeCreated>
+<EventRecordID>818</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshtml.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.270452"></TimeCreated>
+<EventRecordID>819</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\inseng.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053"></TimeCreated>
+<EventRecordID>820</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\inetcpl.cpl.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053"></TimeCreated>
+<EventRecordID>821</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieetwcollectorres.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053"></TimeCreated>
+<EventRecordID>822</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\spp\tokens\ppdlic\Microsoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053"></TimeCreated>
+<EventRecordID>823</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\Microsoft-Windows-IE-HTMLRendering.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.301653"></TimeCreated>
+<EventRecordID>824</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\ieframe.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.301653"></TimeCreated>
+<EventRecordID>825</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\Microsoft-Windows-IE-F12-Provider.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.317253"></TimeCreated>
+<EventRecordID>826</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\migration\WininetPlugin.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.317253"></TimeCreated>
+<EventRecordID>827</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\PolicyDefinitions\inetres.admx</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.332851"></TimeCreated>
+<EventRecordID>828</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\PolicyDefinitions\en-US\InetRes.adml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.410854"></TimeCreated>
+<EventRecordID>829</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieapfltr.dat</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.410854"></TimeCreated>
+<EventRecordID>830</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshta.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.426455"></TimeCreated>
+<EventRecordID>831</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jsproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.426455"></TimeCreated>
+<EventRecordID>832</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\url.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.426455"></TimeCreated>
+<EventRecordID>833</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieUnatt.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055"></TimeCreated>
+<EventRecordID>834</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055"></TimeCreated>
+<EventRecordID>835</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtmlmedia.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055"></TimeCreated>
+<EventRecordID>836</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jsIntl.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055"></TimeCreated>
+<EventRecordID>837</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieetwproxystub.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.457653"></TimeCreated>
+<EventRecordID>838</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\RegisterIEPKEYs.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.457653"></TimeCreated>
+<EventRecordID>839</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\elshyph.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.457653"></TimeCreated>
+<EventRecordID>840</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iepeers.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.473253"></TimeCreated>
+<EventRecordID>841</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieframe.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.473253"></TimeCreated>
+<EventRecordID>842</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\licmgr10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853"></TimeCreated>
+<EventRecordID>843</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtmler.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853"></TimeCreated>
+<EventRecordID>844</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iexpress.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853"></TimeCreated>
+<EventRecordID>845</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\IEAdvpack.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853"></TimeCreated>
+<EventRecordID>846</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wextract.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.504454"></TimeCreated>
+<EventRecordID>847</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\dxtrans.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.504454"></TimeCreated>
+<EventRecordID>848</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wininet.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.520054"></TimeCreated>
+<EventRecordID>849</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\SetIEInstalledDate.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.520054"></TimeCreated>
+<EventRecordID>850</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\MshtmlDac.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.520054"></TimeCreated>
+<EventRecordID>851</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.535654"></TimeCreated>
+<EventRecordID>852</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.535654"></TimeCreated>
+<EventRecordID>853</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msfeedssync.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.535654"></TimeCreated>
+<EventRecordID>854</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\webcheck.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.551254"></TimeCreated>
+<EventRecordID>855</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\icardie.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.551254"></TimeCreated>
+<EventRecordID>856</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iertutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.566854"></TimeCreated>
+<EventRecordID>857</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pngfilt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.582455"></TimeCreated>
+<EventRecordID>858</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jscript9diag.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.582455"></TimeCreated>
+<EventRecordID>859</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msls31.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.598053"></TimeCreated>
+<EventRecordID>860</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iedkcs32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.598053"></TimeCreated>
+<EventRecordID>861</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iesetup.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.613653"></TimeCreated>
+<EventRecordID>862</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iernonce.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.613653"></TimeCreated>
+<EventRecordID>863</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\vbscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.613653"></TimeCreated>
+<EventRecordID>864</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iesysprep.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.629253"></TimeCreated>
+<EventRecordID>865</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\inseng.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.629253"></TimeCreated>
+<EventRecordID>866</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jscript9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.629253"></TimeCreated>
+<EventRecordID>867</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\occache.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.644854"></TimeCreated>
+<EventRecordID>868</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\inetcpl.cpl</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.644854"></TimeCreated>
+<EventRecordID>869</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieapfltr.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.644854"></TimeCreated>
+<EventRecordID>870</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\html.iec</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.660454"></TimeCreated>
+<EventRecordID>871</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\imgutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.660454"></TimeCreated>
+<EventRecordID>872</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msfeeds.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.660454"></TimeCreated>
+<EventRecordID>873</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieuinit.inf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.676054"></TimeCreated>
+<EventRecordID>874</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tdc.ocx</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.676054"></TimeCreated>
+<EventRecordID>875</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtml.tlb</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.676054"></TimeCreated>
+<EventRecordID>876</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtml.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.691654"></TimeCreated>
+<EventRecordID>877</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtmled.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.691654"></TimeCreated>
+<EventRecordID>878</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\urlmon.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.691654"></TimeCreated>
+<EventRecordID>879</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msfeedsbs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.707254"></TimeCreated>
+<EventRecordID>880</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msrating.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.707254"></TimeCreated>
+<EventRecordID>881</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\dxtmsft.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.722855"></TimeCreated>
+<EventRecordID>882</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\webcheck.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.722855"></TimeCreated>
+<EventRecordID>883</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iernonce.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.722855"></TimeCreated>
+<EventRecordID>884</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\inseng.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.738453"></TimeCreated>
+<EventRecordID>885</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\html.iec.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.738453"></TimeCreated>
+<EventRecordID>886</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\msrating.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.738453"></TimeCreated>
+<EventRecordID>887</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\wininet.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.754053"></TimeCreated>
+<EventRecordID>888</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.754053"></TimeCreated>
+<EventRecordID>889</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\elshyph.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.769653"></TimeCreated>
+<EventRecordID>890</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iexpress.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.769653"></TimeCreated>
+<EventRecordID>891</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieetwcollectorres.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.769653"></TimeCreated>
+<EventRecordID>892</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\occache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.785254"></TimeCreated>
+<EventRecordID>893</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieframe.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.785254"></TimeCreated>
+<EventRecordID>894</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshta.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.785254"></TimeCreated>
+<EventRecordID>895</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtml.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.800854"></TimeCreated>
+<EventRecordID>896</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\wextract.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.800854"></TimeCreated>
+<EventRecordID>897</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iesetup.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.800854"></TimeCreated>
+<EventRecordID>898</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieunatt.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.816454"></TimeCreated>
+<EventRecordID>899</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\licmgr10.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.816454"></TimeCreated>
+<EventRecordID>900</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtmler.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.832054"></TimeCreated>
+<EventRecordID>901</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\jscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.832054"></TimeCreated>
+<EventRecordID>902</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\vbscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.832054"></TimeCreated>
+<EventRecordID>903</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iepeers.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.847654"></TimeCreated>
+<EventRecordID>904</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\IEAdvpack.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.863255"></TimeCreated>
+<EventRecordID>905</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\msfeedsbs.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.863255"></TimeCreated>
+<EventRecordID>906</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtmlmedia.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.878855"></TimeCreated>
+<EventRecordID>907</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iedkcs32.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.878855"></TimeCreated>
+<EventRecordID>908</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\urlmon.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.878855"></TimeCreated>
+<EventRecordID>909</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\inetcpl.cpl.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.894453"></TimeCreated>
+<EventRecordID>910</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\jscript9.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.894453"></TimeCreated>
+<EventRecordID>911</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\icardie.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.894453"></TimeCreated>
+<EventRecordID>912</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wdi\perftrack\wow64_ieframe.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.910053"></TimeCreated>
+<EventRecordID>913</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wdi\perftrack\wow64_Microsoft-Windows-IE-HTMLRendering.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.910053"></TimeCreated>
+<EventRecordID>914</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\migration\WininetPlugin.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.941254"></TimeCreated>
+<EventRecordID>915</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.acl</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.956854"></TimeCreated>
+<EventRecordID>916</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.dub</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.956854"></TimeCreated>
+<EventRecordID>917</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.lex</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.972454"></TimeCreated>
+<EventRecordID>918</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="472"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7en.lex</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:42.967728"></TimeCreated>
+<EventRecordID>919</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="728" ThreadID="2476"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:42.515327"></TimeCreated>
+<EventRecordID>920</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:42.515327"></TimeCreated>
+<EventRecordID>921</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="456" ThreadID="492"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:31.655058"></TimeCreated>
+<EventRecordID>922</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:31.655058"></TimeCreated>
+<EventRecordID>923</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:32.388258"></TimeCreated>
+<EventRecordID>924</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="552"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000c957</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.493498"></TimeCreated>
+<EventRecordID>925</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.493498"></TimeCreated>
+<EventRecordID>926</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.649498"></TimeCreated>
+<EventRecordID>927</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.649498"></TimeCreated>
+<EventRecordID>928</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.758699"></TimeCreated>
+<EventRecordID>929</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.758699"></TimeCreated>
+<EventRecordID>930</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.821098"></TimeCreated>
+<EventRecordID>931</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.821098"></TimeCreated>
+<EventRecordID>932</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.899099"></TimeCreated>
+<EventRecordID>933</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.899099"></TimeCreated>
+<EventRecordID>934</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:56.427902"></TimeCreated>
+<EventRecordID>935</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:56.427902"></TimeCreated>
+<EventRecordID>936</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.059311"></TimeCreated>
+<EventRecordID>937</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="624"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.059311"></TimeCreated>
+<EventRecordID>938</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="624"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.418114"></TimeCreated>
+<EventRecordID>939</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="52"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.714514"></TimeCreated>
+<EventRecordID>940</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001a427</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.745712"></TimeCreated>
+<EventRecordID>941</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="624"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:12.589331"></TimeCreated>
+<EventRecordID>942</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:12.589331"></TimeCreated>
+<EventRecordID>943</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:24.804152"></TimeCreated>
+<EventRecordID>944</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="516"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\HyphenationDictionaries</Data>
+<Data Name="HandleId">0x00000000000002d4</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data>
+<Data Name="ProcessId">0x00000000000003e8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:24.850952"></TimeCreated>
+<EventRecordID>945</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="516"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries</Data>
+<Data Name="HandleId">0x00000000000002d0</Data>
+<Data Name="OldSd"></Data>
+<Data Name="NewSd">S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data>
+<Data Name="ProcessId">0x00000000000003e8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020"></TimeCreated>
+<EventRecordID>946</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020"></TimeCreated>
+<EventRecordID>947</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000056f8b</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020"></TimeCreated>
+<EventRecordID>948</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000056fb9</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020"></TimeCreated>
+<EventRecordID>949</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000056f8b</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:25:04.193928"></TimeCreated>
+<EventRecordID>950</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:25:04.193928"></TimeCreated>
+<EventRecordID>951</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:28:28.791111"></TimeCreated>
+<EventRecordID>952</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="760" ThreadID="2512"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:28:28.026711"></TimeCreated>
+<EventRecordID>953</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000056fb9</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:36.516434"></TimeCreated>
+<EventRecordID>954</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:36.516434"></TimeCreated>
+<EventRecordID>955</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="504"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:36.672434"></TimeCreated>
+<EventRecordID>956</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="556"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000c54c</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:37.998434"></TimeCreated>
+<EventRecordID>957</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:37.998434"></TimeCreated>
+<EventRecordID>958</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.154436"></TimeCreated>
+<EventRecordID>959</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.154436"></TimeCreated>
+<EventRecordID>960</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.279236"></TimeCreated>
+<EventRecordID>961</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.279236"></TimeCreated>
+<EventRecordID>962</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.388435"></TimeCreated>
+<EventRecordID>963</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.388435"></TimeCreated>
+<EventRecordID>964</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.435236"></TimeCreated>
+<EventRecordID>965</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.435236"></TimeCreated>
+<EventRecordID>966</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.887638"></TimeCreated>
+<EventRecordID>967</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.887638"></TimeCreated>
+<EventRecordID>968</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:39.839441"></TimeCreated>
+<EventRecordID>969</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="44"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:41.029442"></TimeCreated>
+<EventRecordID>970</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:43.719446"></TimeCreated>
+<EventRecordID>971</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001c185</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011"></TimeCreated>
+<EventRecordID>972</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011"></TimeCreated>
+<EventRecordID>973</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000224e3</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011"></TimeCreated>
+<EventRecordID>974</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000022517</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011"></TimeCreated>
+<EventRecordID>975</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:31.129238"></TimeCreated>
+<EventRecordID>976</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:31.129238"></TimeCreated>
+<EventRecordID>977</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:45.700264"></TimeCreated>
+<EventRecordID>978</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:45.700264"></TimeCreated>
+<EventRecordID>979</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:47:37.490059"></TimeCreated>
+<EventRecordID>980</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:47:37.490059"></TimeCreated>
+<EventRecordID>981</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="596"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:37.681681"></TimeCreated>
+<EventRecordID>982</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000022517</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311"></TimeCreated>
+<EventRecordID>983</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311"></TimeCreated>
+<EventRecordID>984</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311"></TimeCreated>
+<EventRecordID>985</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311"></TimeCreated>
+<EventRecordID>986</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">admin11</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311"></TimeCreated>
+<EventRecordID>987</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.539913"></TimeCreated>
+<EventRecordID>988</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.617912"></TimeCreated>
+<EventRecordID>989</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.617912"></TimeCreated>
+<EventRecordID>990</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">admin11</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:10.872742"></TimeCreated>
+<EventRecordID>991</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">admin11</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 11:52:10 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:10.872742"></TimeCreated>
+<EventRecordID>992</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:17.881954"></TimeCreated>
+<EventRecordID>993</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777"></TimeCreated>
+<EventRecordID>994</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777"></TimeCreated>
+<EventRecordID>995</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777"></TimeCreated>
+<EventRecordID>996</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777"></TimeCreated>
+<EventRecordID>997</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">ITechTeam</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.758377"></TimeCreated>
+<EventRecordID>998</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2568"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.773977"></TimeCreated>
+<EventRecordID>999</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.805178"></TimeCreated>
+<EventRecordID>1000</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.820778"></TimeCreated>
+<EventRecordID>1001</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">ITechTeam</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:45.546404"></TimeCreated>
+<EventRecordID>1002</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">ITechTeam</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 11:52:45 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:45.546404"></TimeCreated>
+<EventRecordID>1003</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:52.694817"></TimeCreated>
+<EventRecordID>1004</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034"></TimeCreated>
+<EventRecordID>1005</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034"></TimeCreated>
+<EventRecordID>1006</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034"></TimeCreated>
+<EventRecordID>1007</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034"></TimeCreated>
+<EventRecordID>1008</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">temporary</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.915634"></TimeCreated>
+<EventRecordID>1009</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.931234"></TimeCreated>
+<EventRecordID>1010</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.978035"></TimeCreated>
+<EventRecordID>1011</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">temporary</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:11.774855"></TimeCreated>
+<EventRecordID>1012</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">temporary</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 11:53:11 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:11.774855"></TimeCreated>
+<EventRecordID>1013</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="536"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:17.267263"></TimeCreated>
+<EventRecordID>1014</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112"></TimeCreated>
+<EventRecordID>1015</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000007a0</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112"></TimeCreated>
+<EventRecordID>1016</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b57</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000007a0</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112"></TimeCreated>
+<EventRecordID>1017</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b71</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000007a0</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112"></TimeCreated>
+<EventRecordID>1018</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserName">admin11</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000094b57</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:55:52.345053"></TimeCreated>
+<EventRecordID>1019</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b71</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:55:57.259062"></TimeCreated>
+<EventRecordID>1020</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x000000000000072c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:55:57.259062"></TimeCreated>
+<EventRecordID>1021</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x000000000000072c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:56:45.514757"></TimeCreated>
+<EventRecordID>1022</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b71</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:56:45.514757"></TimeCreated>
+<EventRecordID>1023</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b57</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:56:58.020781"></TimeCreated>
+<EventRecordID>1024</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589"></TimeCreated>
+<EventRecordID>1025</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000954</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589"></TimeCreated>
+<EventRecordID>1026</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354b3</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000954</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589"></TimeCreated>
+<EventRecordID>1027</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354c8</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000954</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589"></TimeCreated>
+<EventRecordID>1028</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2668"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserName">admin11</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000001354b3</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:41.899269"></TimeCreated>
+<EventRecordID>1029</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354c8</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090"></TimeCreated>
+<EventRecordID>1030</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000c1c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090"></TimeCreated>
+<EventRecordID>1031</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b62</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000c1c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090"></TimeCreated>
+<EventRecordID>1032</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b78</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000c1c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090"></TimeCreated>
+<EventRecordID>1033</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000157b62</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:55.533691"></TimeCreated>
+<EventRecordID>1034</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b78</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:55.533691"></TimeCreated>
+<EventRecordID>1035</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b62</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:56.376093"></TimeCreated>
+<EventRecordID>1036</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:58:26.374947"></TimeCreated>
+<EventRecordID>1037</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354c8</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:58:26.374947"></TimeCreated>
+<EventRecordID>1038</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354b3</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 16:00:09.652330"></TimeCreated>
+<EventRecordID>1039</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="744" ThreadID="2916"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 16:00:08.607128"></TimeCreated>
+<EventRecordID>1040</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="500" ThreadID="2272"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000022517</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:23.645645"></TimeCreated>
+<EventRecordID>1041</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="496"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:23.661245"></TimeCreated>
+<EventRecordID>1042</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="496"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:23.708046"></TimeCreated>
+<EventRecordID>1043</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000bac4</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.659647"></TimeCreated>
+<EventRecordID>1044</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.659647"></TimeCreated>
+<EventRecordID>1045</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.800047"></TimeCreated>
+<EventRecordID>1046</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.800047"></TimeCreated>
+<EventRecordID>1047</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.862448"></TimeCreated>
+<EventRecordID>1048</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.862448"></TimeCreated>
+<EventRecordID>1049</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.940447"></TimeCreated>
+<EventRecordID>1050</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.940447"></TimeCreated>
+<EventRecordID>1051</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:25.065247"></TimeCreated>
+<EventRecordID>1052</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:25.065247"></TimeCreated>
+<EventRecordID>1053</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.244253"></TimeCreated>
+<EventRecordID>1054</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.244253"></TimeCreated>
+<EventRecordID>1055</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.424252"></TimeCreated>
+<EventRecordID>1056</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="64"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.656254"></TimeCreated>
+<EventRecordID>1057</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:28.422262"></TimeCreated>
+<EventRecordID>1058</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001b9a4</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285"></TimeCreated>
+<EventRecordID>1059</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001a8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285"></TimeCreated>
+<EventRecordID>1060</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000002359c</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001a8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285"></TimeCreated>
+<EventRecordID>1061</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000235cc</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001a8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285"></TimeCreated>
+<EventRecordID>1062</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x000000000002359c</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:53.981310"></TimeCreated>
+<EventRecordID>1063</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:53.981310"></TimeCreated>
+<EventRecordID>1064</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:25:47.191999"></TimeCreated>
+<EventRecordID>1065</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="56"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 17:25:47.192598</Data>
+<Data Name="NewTime">2015-03-23 17:25:47.191999</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:26:34.578482"></TimeCreated>
+<EventRecordID>1066</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:26:34.578482"></TimeCreated>
+<EventRecordID>1067</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 18:36:07.849930"></TimeCreated>
+<EventRecordID>1068</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="4028"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 18:36:07.849930"></TimeCreated>
+<EventRecordID>1069</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="4028"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 19:08:15.571480"></TimeCreated>
+<EventRecordID>1070</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="52"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 18:57:01.113134</Data>
+<Data Name="NewTime">2015-03-23 19:08:15.571480</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 19:08:15.586599"></TimeCreated>
+<EventRecordID>1071</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="64"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 19:08:15.571480</Data>
+<Data Name="NewTime">2015-03-23 19:08:15.570999</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 19:08:46.442999"></TimeCreated>
+<EventRecordID>1072</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="52"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 19:08:46.443419</Data>
+<Data Name="NewTime">2015-03-23 19:08:46.442999</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:22.997030"></TimeCreated>
+<EventRecordID>1073</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="2208"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:22.997030"></TimeCreated>
+<EventRecordID>1074</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="2208"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:45.605478"></TimeCreated>
+<EventRecordID>1075</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="3192"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:45.605478"></TimeCreated>
+<EventRecordID>1076</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="3192"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:01.714952"></TimeCreated>
+<EventRecordID>1077</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:01.714952"></TimeCreated>
+<EventRecordID>1078</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:02.354555"></TimeCreated>
+<EventRecordID>1079</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:02.354555"></TimeCreated>
+<EventRecordID>1080</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:22.824591"></TimeCreated>
+<EventRecordID>1081</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="2208"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000002c2083</Data>
+<Data Name="ProcessId">0x0000000000000d40</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:22.840191"></TimeCreated>
+<EventRecordID>1082</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="2208"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000002c2083</Data>
+<Data Name="ProcessId">0x0000000000000d40</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:23:27.973217"></TimeCreated>
+<EventRecordID>1083</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="2164"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000235cc</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">Company</Data>
+<Data Name="TargetDomainName">INFORMANT-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">Company-PC</Data>
+<Data Name="TargetInfo">Company-PC</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 21:02:53.551575"></TimeCreated>
+<EventRecordID>1084</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="492" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000235cc</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 21:02:59.900787"></TimeCreated>
+<EventRecordID>1085</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="724" ThreadID="3256"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:29.399240"></TimeCreated>
+<EventRecordID>1086</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="500"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:29.399240"></TimeCreated>
+<EventRecordID>1087</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="500"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:29.461641"></TimeCreated>
+<EventRecordID>1088</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="548"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000b683</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.481653"></TimeCreated>
+<EventRecordID>1089</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.481653"></TimeCreated>
+<EventRecordID>1090</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.653254"></TimeCreated>
+<EventRecordID>1091</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.653254"></TimeCreated>
+<EventRecordID>1092</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.715654"></TimeCreated>
+<EventRecordID>1093</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="564"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.715654"></TimeCreated>
+<EventRecordID>1094</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="564"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.824854"></TimeCreated>
+<EventRecordID>1095</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.824854"></TimeCreated>
+<EventRecordID>1096</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.902853"></TimeCreated>
+<EventRecordID>1097</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.902853"></TimeCreated>
+<EventRecordID>1098</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:37.949461"></TimeCreated>
+<EventRecordID>1099</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="564"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:37.949461"></TimeCreated>
+<EventRecordID>1100</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="564"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:38.131464"></TimeCreated>
+<EventRecordID>1101</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="52"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:38.323465"></TimeCreated>
+<EventRecordID>1102</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="564"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:38.835484"></TimeCreated>
+<EventRecordID>1103</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001c0ce</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509"></TimeCreated>
+<EventRecordID>1104</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509"></TimeCreated>
+<EventRecordID>1105</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000002269c</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509"></TimeCreated>
+<EventRecordID>1106</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000226c4</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509"></TimeCreated>
+<EventRecordID>1107</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x000000000002269c</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:57.353931"></TimeCreated>
+<EventRecordID>1108</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:57.353931"></TimeCreated>
+<EventRecordID>1109</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:23:40.220510"></TimeCreated>
+<EventRecordID>1110</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:23:40.220510"></TimeCreated>
+<EventRecordID>1111</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="532"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:47:06.075186"></TimeCreated>
+<EventRecordID>1112</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="1740"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000226c4</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">Company</Data>
+<Data Name="TargetDomainName">INFORMANT-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">Company-PC</Data>
+<Data Name="TargetInfo">Company-PC</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:14:30.786434"></TimeCreated>
+<EventRecordID>1113</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:14:30.786434"></TimeCreated>
+<EventRecordID>1114</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="560"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.226231"></TimeCreated>
+<EventRecordID>1115</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2160"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.226231"></TimeCreated>
+<EventRecordID>1116</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2160"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.507030"></TimeCreated>
+<EventRecordID>1117</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2160"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.507030"></TimeCreated>
+<EventRecordID>1118</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2160"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:22:39.911482"></TimeCreated>
+<EventRecordID>1119</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2904"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:22:39.911482"></TimeCreated>
+<EventRecordID>1120</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2904"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:46:14.466702"></TimeCreated>
+<EventRecordID>1121</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="1716"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:46:14.466702"></TimeCreated>
+<EventRecordID>1122</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="1716"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791"></TimeCreated>
+<EventRecordID>1123</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791"></TimeCreated>
+<EventRecordID>1124</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabcf</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791"></TimeCreated>
+<EventRecordID>1125</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabdd</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791"></TimeCreated>
+<EventRecordID>1126</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000006cabcf</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791"></TimeCreated>
+<EventRecordID>1127</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabdd</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791"></TimeCreated>
+<EventRecordID>1128</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="988"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabcf</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 20:58:52.193810"></TimeCreated>
+<EventRecordID>1129</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2068"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 20:58:52.193810"></TimeCreated>
+<EventRecordID>1130</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="2068"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 21:07:25.488918"></TimeCreated>
+<EventRecordID>1131</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="496" ThreadID="3392"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000226c4</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 21:07:26.799320"></TimeCreated>
+<EventRecordID>1132</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="760" ThreadID="4048"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:41.968834"></TimeCreated>
+<EventRecordID>1133</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="476"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:41.968834"></TimeCreated>
+<EventRecordID>1134</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="476"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName"></Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:42.468035"></TimeCreated>
+<EventRecordID>1135</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="524"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000ba7d</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:42.592834"></TimeCreated>
+<EventRecordID>1136</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:42.592834"></TimeCreated>
+<EventRecordID>1137</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.372837"></TimeCreated>
+<EventRecordID>1138</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.372837"></TimeCreated>
+<EventRecordID>1139</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.497637"></TimeCreated>
+<EventRecordID>1140</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.497637"></TimeCreated>
+<EventRecordID>1141</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.638037"></TimeCreated>
+<EventRecordID>1142</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.638037"></TimeCreated>
+<EventRecordID>1143</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.669237"></TimeCreated>
+<EventRecordID>1144</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.669237"></TimeCreated>
+<EventRecordID>1145</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:45.556839"></TimeCreated>
+<EventRecordID>1146</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:45.556839"></TimeCreated>
+<EventRecordID>1147</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:45.777241"></TimeCreated>
+<EventRecordID>1148</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="64"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:46.425243"></TimeCreated>
+<EventRecordID>1149</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="508"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData></EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:48.117256"></TimeCreated>
+<EventRecordID>1150</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001c0d1</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298"></TimeCreated>
+<EventRecordID>1151</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298"></TimeCreated>
+<EventRecordID>1152</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000025465</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298"></TimeCreated>
+<EventRecordID>1153</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000025493</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298"></TimeCreated>
+<EventRecordID>1154</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="520"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000025465</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:16.402313"></TimeCreated>
+<EventRecordID>1155</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:16.402313"></TimeCreated>
+<EventRecordID>1156</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:07:49.222477"></TimeCreated>
+<EventRecordID>1157</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:07:49.222477"></TimeCreated>
+<EventRecordID>1158</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="540"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:23:59.668980"></TimeCreated>
+<EventRecordID>1159</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:23:59.668980"></TimeCreated>
+<EventRecordID>1160</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:13:47.009901"></TimeCreated>
+<EventRecordID>1161</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="44"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-25 13:29:46.566790</Data>
+<Data Name="NewTime">2015-03-25 14:13:47.009901</Data>
+<Data Name="ProcessId">0x0000000000000330</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:13:47.025000"></TimeCreated>
+<EventRecordID>1162</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="48"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-25 14:13:47.025499</Data>
+<Data Name="NewTime">2015-03-25 14:13:47.025000</Data>
+<Data Name="ProcessId">0x0000000000000330</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:31:53.299805"></TimeCreated>
+<EventRecordID>1163</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2772"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:31:53.299805"></TimeCreated>
+<EventRecordID>1164</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2772"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204"></TimeCreated>
+<EventRecordID>1165</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="1064"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204"></TimeCreated>
+<EventRecordID>1166</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="1064"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157773</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204"></TimeCreated>
+<EventRecordID>1167</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="1064"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000015777f</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204"></TimeCreated>
+<EventRecordID>1168</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="1064"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000157773</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204"></TimeCreated>
+<EventRecordID>1169</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="1064"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000015777f</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204"></TimeCreated>
+<EventRecordID>1170</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="1064"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157773</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:28.948605"></TimeCreated>
+<EventRecordID>1171</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2304"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:28.948605"></TimeCreated>
+<EventRecordID>1172</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2304"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.305803"></TimeCreated>
+<EventRecordID>1173</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2304"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.305803"></TimeCreated>
+<EventRecordID>1174</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2304"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.430605"></TimeCreated>
+<EventRecordID>1175</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.430605"></TimeCreated>
+<EventRecordID>1176</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2592"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:45.235004"></TimeCreated>
+<EventRecordID>1177</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2888"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001aa8e7</Data>
+<Data Name="ProcessId">0x0000000000000934</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:45.235004"></TimeCreated>
+<EventRecordID>1178</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2888"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001aa8e7</Data>
+<Data Name="ProcessId">0x0000000000000934</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:50.960205"></TimeCreated>
+<EventRecordID>1179</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2888"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:50.960205"></TimeCreated>
+<EventRecordID>1180</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="2888"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:56:55.922205"></TimeCreated>
+<EventRecordID>1181</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="3772"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:56:55.922205"></TimeCreated>
+<EventRecordID>1182</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="3772"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.230204"></TimeCreated>
+<EventRecordID>1183</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.230204"></TimeCreated>
+<EventRecordID>1184</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.479805"></TimeCreated>
+<EventRecordID>1185</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.479805"></TimeCreated>
+<EventRecordID>1186</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:33.393404"></TimeCreated>
+<EventRecordID>1187</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="4040"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000245dcb</Data>
+<Data Name="ProcessId">0x0000000000000aa4</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:33.393404"></TimeCreated>
+<EventRecordID>1188</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="4040"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000245dcb</Data>
+<Data Name="ProcessId">0x0000000000000aa4</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:18:54.221603"></TimeCreated>
+<EventRecordID>1189</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName"></Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:18:54.221603"></TimeCreated>
+<EventRecordID>1190</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="528"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:30:57.775204"></TimeCreated>
+<EventRecordID>1191</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="472" ThreadID="3968"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000025493</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:31:00.240000"></TimeCreated>
+<EventRecordID>1192</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="4" ThreadID="64"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-25 15:31:00.240004</Data>
+<Data Name="NewTime">2015-03-25 15:31:00.240000</Data>
+<Data Name="ProcessId">0x0000000000000330</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"></Provider>
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:31:00.364799"></TimeCreated>
+<EventRecordID>1193</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID=""></Correlation>
+<Execution ProcessID="752" ThreadID="3912"></Execution>
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID=""></Security>
+</System>
+<UserData><ServiceShutdown xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"></ServiceShutdown>
+</UserData>
+</Event>
+
+</Events>
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/SecurityEvt_ns_removed.xml b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/SecurityEvt_ns_removed.xml
new file mode 100644
index 0000000..cc35c57
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/SecurityEvt_ns_removed.xml
@@ -0,0 +1,36682 @@
+<Events>
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:35.248869" />
+<EventRecordID>1</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:35.311270" />
+<EventRecordID>2</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.089672" />
+<EventRecordID>3</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="516" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x0000000000035ce9</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>4</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Backup Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>5</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>6</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Replicator</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>7</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>8</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Remote Desktop Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>9</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>10</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Network Configuration Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>11</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>12</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Power Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.370474" />
+<EventRecordID>13</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4731</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.386072" />
+<EventRecordID>14</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Cryptographic Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.386072" />
+<EventRecordID>15</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.713673" />
+<EventRecordID>16</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:37.713673" />
+<EventRecordID>17</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:38.914877" />
+<EventRecordID>18</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:38.914877" />
+<EventRecordID>19</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.683689" />
+<EventRecordID>20</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.683689" />
+<EventRecordID>21</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.995691" />
+<EventRecordID>22</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:46.995691" />
+<EventRecordID>23</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.011292" />
+<EventRecordID>24</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.011292" />
+<EventRecordID>25</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.338890" />
+<EventRecordID>26</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:47.338890" />
+<EventRecordID>27</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:50.162495" />
+<EventRecordID>28</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:50.162495" />
+<EventRecordID>29</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:50.864496" />
+<EventRecordID>30</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="64" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:52.065699" />
+<EventRecordID>31</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:15:54.717703" />
+<EventRecordID>32</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000454a7</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:53.886312" />
+<EventRecordID>33</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1868" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Administrator</Data>
+<Data Name="TargetDomainName">37L4247F27-25</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x211</Data>
+<Data Name="NewUacValue">0x211</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:55.461916" />
+<EventRecordID>34</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1868" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:55.461916" />
+<EventRecordID>35</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1868" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:57.708319" />
+<EventRecordID>36</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1868" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:17:57.708319" />
+<EventRecordID>37</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1868" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:23.900766" />
+<EventRecordID>38</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1696" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:23.900766" />
+<EventRecordID>39</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="1696" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:24.165966" />
+<EventRecordID>40</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="552" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">37L4247F27-25$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:24.165966" />
+<EventRecordID>41</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="464" ThreadID="552" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:18:29.407576" />
+<EventRecordID>42</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="816" ThreadID="1468" />
+<Channel>Security</Channel>
+<Computer>37L4247F27-25</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:26.671669" />
+<EventRecordID>43</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="480" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:26.827669" />
+<EventRecordID>44</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="480" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:29.058474" />
+<EventRecordID>45</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000d031</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:29.276873" />
+<EventRecordID>46</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:29.276873" />
+<EventRecordID>47</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:30.212875" />
+<EventRecordID>48</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:30.212875" />
+<EventRecordID>49</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.499304" />
+<EventRecordID>50</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.499304" />
+<EventRecordID>51</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.592903" />
+<EventRecordID>52</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.592903" />
+<EventRecordID>53</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.686502" />
+<EventRecordID>54</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:19:46.686502" />
+<EventRecordID>55</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:14.799122" />
+<EventRecordID>56</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:14.799122" />
+<EventRecordID>57</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:16.811525" />
+<EventRecordID>58</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:16.811525" />
+<EventRecordID>59</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:17.185928" />
+<EventRecordID>60</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="44" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:19.057930" />
+<EventRecordID>61</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:19.369930" />
+<EventRecordID>62</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x0000000000028c63</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.848738" />
+<EventRecordID>63</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.848738" />
+<EventRecordID>64</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Administrators</Data>
+<Data Name="NewTargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.848738" />
+<EventRecordID>65</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Administrators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>66</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>67</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Users</Data>
+<Data Name="NewTargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>68</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>69</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Guests</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-546</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>70</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Guests</Data>
+<Data Name="NewTargetUserName">Guests</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-546</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>71</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Guests</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-546</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Guests</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>72</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>73</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Backup Operators</Data>
+<Data Name="NewTargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>74</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Backup Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-551</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Backup Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>75</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>76</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Replicator</Data>
+<Data Name="NewTargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>77</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Replicator</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-552</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Replicator</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>78</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>79</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Remote Desktop Users</Data>
+<Data Name="NewTargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>80</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Remote Desktop Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-555</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Remote Desktop Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>81</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>82</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Network Configuration Operators</Data>
+<Data Name="NewTargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>83</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Network Configuration Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-556</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Network Configuration Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>84</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>85</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Power Users</Data>
+<Data Name="NewTargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>86</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Power Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-547</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Power Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>87</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Performance Monitor Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-558</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>88</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Performance Monitor Users</Data>
+<Data Name="NewTargetUserName">Performance Monitor Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-558</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>89</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Performance Monitor Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-558</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Performance Monitor Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>90</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Performance Log Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-559</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>91</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Performance Log Users</Data>
+<Data Name="NewTargetUserName">Performance Log Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-559</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>92</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Performance Log Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-559</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Performance Log Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>93</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Distributed COM Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-562</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>94</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Distributed COM Users</Data>
+<Data Name="NewTargetUserName">Distributed COM Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-562</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>95</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Distributed COM Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-562</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Distributed COM Users</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>96</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">IIS_IUSRS</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-568</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>97</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">IIS_IUSRS</Data>
+<Data Name="NewTargetUserName">IIS_IUSRS</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-568</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>98</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">IIS_IUSRS</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-568</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">IIS_IUSRS</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>99</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>100</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Cryptographic Operators</Data>
+<Data Name="NewTargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>101</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Cryptographic Operators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-569</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Cryptographic Operators</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>102</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Event Log Readers</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-573</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4781</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>103</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="OldTargetUserName">Event Log Readers</Data>
+<Data Name="NewTargetUserName">Event Log Readers</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-573</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4735</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>104</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">Event Log Readers</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-573</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Event Log Readers</Data>
+<Data Name="SidHistory">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>105</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Administrator</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Administrator</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">11/20/2010 8:57:24 PM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x211</Data>
+<Data Name="NewUacValue">0x211</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>106</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Administrator</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Administrator</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">11/20/2010 8:57:24 PM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x211</Data>
+<Data Name="NewUacValue">0x211</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>107</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Guest</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-501</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Guest</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x215</Data>
+<Data Name="NewUacValue">0x215</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 10:33:22.864338" />
+<EventRecordID>108</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">Guest</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-501</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">Guest</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x215</Data>
+<Data Name="NewUacValue">0x215</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:53.237000" />
+<EventRecordID>109</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="64" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PreviousTime">2015-03-25 10:34:25.685648</Data>
+<Data Name="NewTime">2015-03-22 14:33:53.237000</Data>
+<Data Name="ProcessId">0x0000000000000340</Data>
+<Data Name="ProcessName">C:\Windows\System32\oobe\msoobe.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.422602" />
+<EventRecordID>110</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.422602" />
+<EventRecordID>111</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">informant</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.422602" />
+<EventRecordID>112</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.438202" />
+<EventRecordID>113</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.438202" />
+<EventRecordID>114</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">informant</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x14</Data>
+<Data Name="UserAccountControl">
+		%%2048</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.453800" />
+<EventRecordID>115</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4733</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001" />
+<EventRecordID>116</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001" />
+<EventRecordID>117</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">informant</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 10:33:54 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x14</Data>
+<Data Name="NewUacValue">0x214</Data>
+<Data Name="UserAccountControl">
+		%%2089</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001" />
+<EventRecordID>118</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:33:54.485001" />
+<EventRecordID>119</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:24.717855" />
+<EventRecordID>120</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:24.717855" />
+<EventRecordID>121</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289" />
+<EventRecordID>122</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289" />
+<EventRecordID>123</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000003be29</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">WIN-D9RGPJQ68G8</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289" />
+<EventRecordID>124</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000003db0a</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">WIN-D9RGPJQ68G8</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:28.922289" />
+<EventRecordID>125</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="796" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x000000000003be29</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:49.529924" />
+<EventRecordID>126</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:34:49.529924" />
+<EventRecordID>127</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="748" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:38:16.402891" />
+<EventRecordID>128</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="952" ThreadID="2504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:38:15.888088" />
+<EventRecordID>129</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="476" ThreadID="1828" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000003db0a</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:14.039225" />
+<EventRecordID>130</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="460" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:14.086025" />
+<EventRecordID>131</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="460" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.053226" />
+<EventRecordID>132</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000b8dc</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.193626" />
+<EventRecordID>133</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.193626" />
+<EventRecordID>134</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.692829" />
+<EventRecordID>135</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:15.692829" />
+<EventRecordID>136</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.207628" />
+<EventRecordID>137</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.207628" />
+<EventRecordID>138</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.660030" />
+<EventRecordID>139</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.660030" />
+<EventRecordID>140</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.675631" />
+<EventRecordID>141</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:16.675631" />
+<EventRecordID>142</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:20.216837" />
+<EventRecordID>143</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:20.216837" />
+<EventRecordID>144</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:21.418037" />
+<EventRecordID>145</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="68" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:23.773643" />
+<EventRecordID>146</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:51:27.299248" />
+<EventRecordID>147</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001a667</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:30.717463" />
+<EventRecordID>148</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1812" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:30.717463" />
+<EventRecordID>149</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1812" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:31.981066" />
+<EventRecordID>150</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1812" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:31.981066" />
+<EventRecordID>151</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1812" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680" />
+<EventRecordID>152</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000184</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680" />
+<EventRecordID>153</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000026923</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000184</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680" />
+<EventRecordID>154</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000026951</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000184</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 14:53:39.874680" />
+<EventRecordID>155</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000026923</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.475166" />
+<EventRecordID>156</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1812" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.475166" />
+<EventRecordID>157</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1812" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.615566" />
+<EventRecordID>158</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1648" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:08.615566" />
+<EventRecordID>159</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1648" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:18.412384" />
+<EventRecordID>160</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="2096" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:18.412384" />
+<EventRecordID>161</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="2096" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:20.799187" />
+<EventRecordID>162</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1648" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000069adb</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:20.799187" />
+<EventRecordID>163</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1648" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000069adb</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:36.648815" />
+<EventRecordID>164</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1856" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000000835e3</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:00:36.648815" />
+<EventRecordID>165</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="1856" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000000835e3</Data>
+<Data Name="ProcessId">0x0000000000000bc0</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:04:33.457232" />
+<EventRecordID>166</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:04:33.457232" />
+<EventRecordID>167</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:12:37.117380" />
+<EventRecordID>168</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="2320" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:12:37.117380" />
+<EventRecordID>169</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="2320" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.170641" />
+<EventRecordID>170</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="2320" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.170641" />
+<EventRecordID>171</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="2320" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.857042" />
+<EventRecordID>172</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3756" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:12.857042" />
+<EventRecordID>173</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3756" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:25.305864" />
+<EventRecordID>174</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3116" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001fa262</Data>
+<Data Name="ProcessId">0x0000000000000e6c</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:13:25.305864" />
+<EventRecordID>175</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3116" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001fa262</Data>
+<Data Name="ProcessId">0x0000000000000e6c</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:16:01.446539" />
+<EventRecordID>176</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3116" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:16:01.446539" />
+<EventRecordID>177</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3116" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:17:19.431074" />
+<EventRecordID>178</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\winsxs\Temp\PendingRenames\a86dcf49b364d00184220000f80e440b.install.ins</Data>
+<Data Name="HandleId">0x00000000000086e8</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI</Data>
+<Data Name="ProcessId">0x0000000000000ef8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:17:19.431074" />
+<EventRecordID>179</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\winsxs\Temp\PendingRenames\08cfd149b364d00185220000f80e440b.install.ins</Data>
+<Data Name="HandleId">0x00000000000088b0</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI</Data>
+<Data Name="ProcessId">0x0000000000000ef8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:52.829239" />
+<EventRecordID>180</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="3116" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000026951</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.356443" />
+<EventRecordID>181</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\DWrite.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.356443" />
+<EventRecordID>182</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d2d1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.356443" />
+<EventRecordID>183</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msmpeg2vdec.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.372044" />
+<EventRecordID>184</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.372044" />
+<EventRecordID>185</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.372044" />
+<EventRecordID>186</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.387644" />
+<EventRecordID>187</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.387644" />
+<EventRecordID>188</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\XpsGdiConverter.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.387644" />
+<EventRecordID>189</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.403244" />
+<EventRecordID>190</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10warp.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.403244" />
+<EventRecordID>191</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.403244" />
+<EventRecordID>192</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\dxgi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.418844" />
+<EventRecordID>193</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\WMPhoto.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.418844" />
+<EventRecordID>194</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\FntCache.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.418844" />
+<EventRecordID>195</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.434444" />
+<EventRecordID>196</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10_1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.434444" />
+<EventRecordID>197</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\WindowsCodecsExt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.434444" />
+<EventRecordID>198</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045" />
+<EventRecordID>199</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10level9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045" />
+<EventRecordID>200</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\UIAnimation.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045" />
+<EventRecordID>201</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.450045" />
+<EventRecordID>202</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10_1core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.465645" />
+<EventRecordID>203</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\XpsPrint.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.465645" />
+<EventRecordID>204</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.465645" />
+<EventRecordID>205</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.481245" />
+<EventRecordID>206</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\WindowsCodecs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.481245" />
+<EventRecordID>207</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\d3d11.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.481245" />
+<EventRecordID>208</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.496843" />
+<EventRecordID>209</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.496843" />
+<EventRecordID>210</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.496843" />
+<EventRecordID>211</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.512444" />
+<EventRecordID>212</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.512444" />
+<EventRecordID>213</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.512444" />
+<EventRecordID>214</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.528044" />
+<EventRecordID>215</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.528044" />
+<EventRecordID>216</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\da-DK\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.528044" />
+<EventRecordID>217</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.543644" />
+<EventRecordID>218</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.543644" />
+<EventRecordID>219</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.543644" />
+<EventRecordID>220</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nb-NO\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.559244" />
+<EventRecordID>221</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.559244" />
+<EventRecordID>222</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.559244" />
+<EventRecordID>223</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.574844" />
+<EventRecordID>224</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.574844" />
+<EventRecordID>225</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ru-RU\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.574844" />
+<EventRecordID>226</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.590445" />
+<EventRecordID>227</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.590445" />
+<EventRecordID>228</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045" />
+<EventRecordID>229</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045" />
+<EventRecordID>230</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ja-JP\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045" />
+<EventRecordID>231</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.606045" />
+<EventRecordID>232</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.621645" />
+<EventRecordID>233</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.621645" />
+<EventRecordID>234</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-CN\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.621645" />
+<EventRecordID>235</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243" />
+<EventRecordID>236</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243" />
+<EventRecordID>237</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243" />
+<EventRecordID>238</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\cs-CZ\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.637243" />
+<EventRecordID>239</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.652843" />
+<EventRecordID>240</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.652843" />
+<EventRecordID>241</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.668444" />
+<EventRecordID>242</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.668444" />
+<EventRecordID>243</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\de-DE\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.668444" />
+<EventRecordID>244</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.684044" />
+<EventRecordID>245</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.684044" />
+<EventRecordID>246</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.684044" />
+<EventRecordID>247</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-TW\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.699644" />
+<EventRecordID>248</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.699644" />
+<EventRecordID>249</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.699644" />
+<EventRecordID>250</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244" />
+<EventRecordID>251</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244" />
+<EventRecordID>252</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\es-ES\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244" />
+<EventRecordID>253</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.715244" />
+<EventRecordID>254</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844" />
+<EventRecordID>255</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844" />
+<EventRecordID>256</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\sv-SE\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844" />
+<EventRecordID>257</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.730844" />
+<EventRecordID>258</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445" />
+<EventRecordID>259</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445" />
+<EventRecordID>260</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tr-TR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445" />
+<EventRecordID>261</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.746445" />
+<EventRecordID>262</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045" />
+<EventRecordID>263</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045" />
+<EventRecordID>264</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fi-FI\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045" />
+<EventRecordID>265</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.762045" />
+<EventRecordID>266</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.777645" />
+<EventRecordID>267</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.777645" />
+<EventRecordID>268</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.777645" />
+<EventRecordID>269</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\fr-FR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243" />
+<EventRecordID>270</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243" />
+<EventRecordID>271</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243" />
+<EventRecordID>272</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.793243" />
+<EventRecordID>273</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.808844" />
+<EventRecordID>274</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\nl-NL\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.808844" />
+<EventRecordID>275</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.808844" />
+<EventRecordID>276</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.824444" />
+<EventRecordID>277</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.824444" />
+<EventRecordID>278</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\el-GR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.824444" />
+<EventRecordID>279</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044" />
+<EventRecordID>280</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044" />
+<EventRecordID>281</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044" />
+<EventRecordID>282</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\zh-HK\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.840044" />
+<EventRecordID>283</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644" />
+<EventRecordID>284</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644" />
+<EventRecordID>285</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644" />
+<EventRecordID>286</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\hu-HU\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.855644" />
+<EventRecordID>287</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246" />
+<EventRecordID>288</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246" />
+<EventRecordID>289</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246" />
+<EventRecordID>290</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ko-KR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.871246" />
+<EventRecordID>291</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.886847" />
+<EventRecordID>292</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.886847" />
+<EventRecordID>293</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.886847" />
+<EventRecordID>294</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pl-PL\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447" />
+<EventRecordID>295</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447" />
+<EventRecordID>296</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447" />
+<EventRecordID>297</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.902447" />
+<EventRecordID>298</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-PT\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045" />
+<EventRecordID>299</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045" />
+<EventRecordID>300</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045" />
+<EventRecordID>301</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.918045" />
+<EventRecordID>302</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.933645" />
+<EventRecordID>303</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\it-IT\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.933645" />
+<EventRecordID>304</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.933645" />
+<EventRecordID>305</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.949245" />
+<EventRecordID>306</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.949245" />
+<EventRecordID>307</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pt-BR\FntCache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.949245" />
+<EventRecordID>308</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\DWrite.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.964846" />
+<EventRecordID>309</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d2d1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.964846" />
+<EventRecordID>310</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msmpeg2vdec.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.964846" />
+<EventRecordID>311</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.980446" />
+<EventRecordID>312</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.980446" />
+<EventRecordID>313</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.996046" />
+<EventRecordID>314</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.996046" />
+<EventRecordID>315</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\XpsGdiConverter.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:55.996046" />
+<EventRecordID>316</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.011646" />
+<EventRecordID>317</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10warp.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.011646" />
+<EventRecordID>318</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\dxgi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.011646" />
+<EventRecordID>319</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.027246" />
+<EventRecordID>320</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\WMPhoto.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.027246" />
+<EventRecordID>321</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.042847" />
+<EventRecordID>322</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10_1.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.042847" />
+<EventRecordID>323</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10level9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045" />
+<EventRecordID>324</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\WindowsCodecsExt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045" />
+<EventRecordID>325</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045" />
+<EventRecordID>326</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.074045" />
+<EventRecordID>327</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\UIAnimation.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645" />
+<EventRecordID>328</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10_1core.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645" />
+<EventRecordID>329</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\XpsPrint.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645" />
+<EventRecordID>330</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.089645" />
+<EventRecordID>331</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.105246" />
+<EventRecordID>332</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\WindowsCodecs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.105246" />
+<EventRecordID>333</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\d3d11.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846" />
+<EventRecordID>334</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846" />
+<EventRecordID>335</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846" />
+<EventRecordID>336</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.120846" />
+<EventRecordID>337</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446" />
+<EventRecordID>338</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446" />
+<EventRecordID>339</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446" />
+<EventRecordID>340</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.136446" />
+<EventRecordID>341</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.152046" />
+<EventRecordID>342</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.152046" />
+<EventRecordID>343</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247" />
+<EventRecordID>344</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247" />
+<EventRecordID>345</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247" />
+<EventRecordID>346</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247" />
+<EventRecordID>347</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.183247" />
+<EventRecordID>348</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845" />
+<EventRecordID>349</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845" />
+<EventRecordID>350</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845" />
+<EventRecordID>351</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845" />
+<EventRecordID>352</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.198845" />
+<EventRecordID>353</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445" />
+<EventRecordID>354</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445" />
+<EventRecordID>355</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445" />
+<EventRecordID>356</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.214445" />
+<EventRecordID>357</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045" />
+<EventRecordID>358</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045" />
+<EventRecordID>359</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045" />
+<EventRecordID>360</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.230045" />
+<EventRecordID>361</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646" />
+<EventRecordID>362</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646" />
+<EventRecordID>363</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646" />
+<EventRecordID>364</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.245646" />
+<EventRecordID>365</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246" />
+<EventRecordID>366</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246" />
+<EventRecordID>367</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246" />
+<EventRecordID>368</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246" />
+<EventRecordID>369</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.261246" />
+<EventRecordID>370</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846" />
+<EventRecordID>371</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846" />
+<EventRecordID>372</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846" />
+<EventRecordID>373</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846" />
+<EventRecordID>374</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.276846" />
+<EventRecordID>375</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446" />
+<EventRecordID>376</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446" />
+<EventRecordID>377</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446" />
+<EventRecordID>378</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.292446" />
+<EventRecordID>379</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046" />
+<EventRecordID>380</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046" />
+<EventRecordID>381</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046" />
+<EventRecordID>382</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.308046" />
+<EventRecordID>383</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647" />
+<EventRecordID>384</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647" />
+<EventRecordID>385</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647" />
+<EventRecordID>386</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.323647" />
+<EventRecordID>387</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247" />
+<EventRecordID>388</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247" />
+<EventRecordID>389</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247" />
+<EventRecordID>390</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.339247" />
+<EventRecordID>391</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845" />
+<EventRecordID>392</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845" />
+<EventRecordID>393</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845" />
+<EventRecordID>394</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.354845" />
+<EventRecordID>395</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445" />
+<EventRecordID>396</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445" />
+<EventRecordID>397</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445" />
+<EventRecordID>398</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445" />
+<EventRecordID>399</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.370445" />
+<EventRecordID>400</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045" />
+<EventRecordID>401</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045" />
+<EventRecordID>402</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045" />
+<EventRecordID>403</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.386045" />
+<EventRecordID>404</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646" />
+<EventRecordID>405</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646" />
+<EventRecordID>406</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\UIAnimation.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646" />
+<EventRecordID>407</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.401646" />
+<EventRecordID>408</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\WMPhoto.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.417246" />
+<EventRecordID>409</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\d2d1.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.417246" />
+<EventRecordID>410</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\DWrite.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.588846" />
+<EventRecordID>411</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.588846" />
+<EventRecordID>412</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.604446" />
+<EventRecordID>413</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntkrnlpa.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.698046" />
+<EventRecordID>414</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.698046" />
+<EventRecordID>415</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.713646" />
+<EventRecordID>416</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.713646" />
+<EventRecordID>417</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.713646" />
+<EventRecordID>418</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.729248" />
+<EventRecordID>419</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.729248" />
+<EventRecordID>420</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.729248" />
+<EventRecordID>421</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.885248" />
+<EventRecordID>422</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.900846" />
+<EventRecordID>423</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.900846" />
+<EventRecordID>424</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.900846" />
+<EventRecordID>425</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.916447" />
+<EventRecordID>426</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.916447" />
+<EventRecordID>427</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.916447" />
+<EventRecordID>428</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.932047" />
+<EventRecordID>429</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.932047" />
+<EventRecordID>430</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.932047" />
+<EventRecordID>431</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647" />
+<EventRecordID>432</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647" />
+<EventRecordID>433</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647" />
+<EventRecordID>434</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.947647" />
+<EventRecordID>435</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.963247" />
+<EventRecordID>436</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.963247" />
+<EventRecordID>437</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.963247" />
+<EventRecordID>438</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.978848" />
+<EventRecordID>439</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.978848" />
+<EventRecordID>440</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.978848" />
+<EventRecordID>441</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.994448" />
+<EventRecordID>442</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.994448" />
+<EventRecordID>443</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:56.994448" />
+<EventRecordID>444</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.010048" />
+<EventRecordID>445</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.010048" />
+<EventRecordID>446</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.010048" />
+<EventRecordID>447</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.025648" />
+<EventRecordID>448</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.025648" />
+<EventRecordID>449</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.025648" />
+<EventRecordID>450</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.041248" />
+<EventRecordID>451</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.041248" />
+<EventRecordID>452</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.041248" />
+<EventRecordID>453</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847" />
+<EventRecordID>454</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847" />
+<EventRecordID>455</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847" />
+<EventRecordID>456</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.056847" />
+<EventRecordID>457</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.072447" />
+<EventRecordID>458</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.072447" />
+<EventRecordID>459</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.072447" />
+<EventRecordID>460</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047" />
+<EventRecordID>461</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047" />
+<EventRecordID>462</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047" />
+<EventRecordID>463</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.088047" />
+<EventRecordID>464</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.103647" />
+<EventRecordID>465</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.103647" />
+<EventRecordID>466</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.103647" />
+<EventRecordID>467</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247" />
+<EventRecordID>468</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247" />
+<EventRecordID>469</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247" />
+<EventRecordID>470</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.119247" />
+<EventRecordID>471</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848" />
+<EventRecordID>472</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848" />
+<EventRecordID>473</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848" />
+<EventRecordID>474</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.134848" />
+<EventRecordID>475</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.150448" />
+<EventRecordID>476</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.150448" />
+<EventRecordID>477</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.150448" />
+<EventRecordID>478</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.166048" />
+<EventRecordID>479</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.166048" />
+<EventRecordID>480</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.166048" />
+<EventRecordID>481</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648" />
+<EventRecordID>482</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648" />
+<EventRecordID>483</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648" />
+<EventRecordID>484</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.181648" />
+<EventRecordID>485</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.384447" />
+<EventRecordID>486</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.446848" />
+<EventRecordID>487</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.462448" />
+<EventRecordID>488</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.462448" />
+<EventRecordID>489</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.462448" />
+<EventRecordID>490</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.478048" />
+<EventRecordID>491</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.478048" />
+<EventRecordID>492</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.493647" />
+<EventRecordID>493</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.493647" />
+<EventRecordID>494</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.493647" />
+<EventRecordID>495</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.509247" />
+<EventRecordID>496</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.509247" />
+<EventRecordID>497</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.509247" />
+<EventRecordID>498</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.524847" />
+<EventRecordID>499</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.524847" />
+<EventRecordID>500</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.540447" />
+<EventRecordID>501</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.540447" />
+<EventRecordID>502</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.540447" />
+<EventRecordID>503</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.556047" />
+<EventRecordID>504</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.556047" />
+<EventRecordID>505</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.556047" />
+<EventRecordID>506</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.571648" />
+<EventRecordID>507</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.571648" />
+<EventRecordID>508</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248" />
+<EventRecordID>509</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248" />
+<EventRecordID>510</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248" />
+<EventRecordID>511</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.587248" />
+<EventRecordID>512</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.602848" />
+<EventRecordID>513</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.602848" />
+<EventRecordID>514</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.618448" />
+<EventRecordID>515</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.712049" />
+<EventRecordID>516</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650" />
+<EventRecordID>517</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650" />
+<EventRecordID>518</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650" />
+<EventRecordID>519</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.727650" />
+<EventRecordID>520</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.743250" />
+<EventRecordID>521</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.743250" />
+<EventRecordID>522</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.743250" />
+<EventRecordID>523</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\KernelBase.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.758848" />
+<EventRecordID>524</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.758848" />
+<EventRecordID>525</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.758848" />
+<EventRecordID>526</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448" />
+<EventRecordID>527</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448" />
+<EventRecordID>528</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448" />
+<EventRecordID>529</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.774448" />
+<EventRecordID>530</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049" />
+<EventRecordID>531</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049" />
+<EventRecordID>532</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049" />
+<EventRecordID>533</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.790049" />
+<EventRecordID>534</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649" />
+<EventRecordID>535</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649" />
+<EventRecordID>536</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649" />
+<EventRecordID>537</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.805649" />
+<EventRecordID>538</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.821249" />
+<EventRecordID>539</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.821249" />
+<EventRecordID>540</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.821249" />
+<EventRecordID>541</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849" />
+<EventRecordID>542</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849" />
+<EventRecordID>543</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849" />
+<EventRecordID>544</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.836849" />
+<EventRecordID>545</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449" />
+<EventRecordID>546</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449" />
+<EventRecordID>547</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449" />
+<EventRecordID>548</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.852449" />
+<EventRecordID>549</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.868050" />
+<EventRecordID>550</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.868050" />
+<EventRecordID>551</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.868050" />
+<EventRecordID>552</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650" />
+<EventRecordID>553</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650" />
+<EventRecordID>554</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650" />
+<EventRecordID>555</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.883650" />
+<EventRecordID>556</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.899248" />
+<EventRecordID>557</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.899248" />
+<EventRecordID>558</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:57.899248" />
+<EventRecordID>559</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\KernelBase.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.024050" />
+<EventRecordID>560</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\seguisym.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.024050" />
+<EventRecordID>561</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeui.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.024050" />
+<EventRecordID>562</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeuiz.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.039648" />
+<EventRecordID>563</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeuib.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.039648" />
+<EventRecordID>564</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Fonts\segoeuii.ttf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.148849" />
+<EventRecordID>565</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\taskhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.148849" />
+<EventRecordID>566</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\afd.sys</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.148849" />
+<EventRecordID>567</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\FWPKCLNT.SYS</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.164450" />
+<EventRecordID>568</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\tcpip.sys</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.164450" />
+<EventRecordID>569</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\drivers\netio.sys</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.195648" />
+<EventRecordID>570</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mswsock.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.195648" />
+<EventRecordID>571</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mswsock.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.320450" />
+<EventRecordID>572</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\smss.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.336048" />
+<EventRecordID>573</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\csrsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.336048" />
+<EventRecordID>574</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntdll.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.351648" />
+<EventRecordID>575</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.351648" />
+<EventRecordID>576</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\apisetschema.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.367249" />
+<EventRecordID>577</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntdll.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.367249" />
+<EventRecordID>578</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntoskrnl.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.367249" />
+<EventRecordID>579</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntkrnlpa.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.398449" />
+<EventRecordID>580</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.414049" />
+<EventRecordID>581</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tdh.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.414049" />
+<EventRecordID>582</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.414049" />
+<EventRecordID>583</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250" />
+<EventRecordID>584</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250" />
+<EventRecordID>585</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250" />
+<EventRecordID>586</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.445250" />
+<EventRecordID>587</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850" />
+<EventRecordID>588</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850" />
+<EventRecordID>589</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850" />
+<EventRecordID>590</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.460850" />
+<EventRecordID>591</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448" />
+<EventRecordID>592</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448" />
+<EventRecordID>593</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448" />
+<EventRecordID>594</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.476448" />
+<EventRecordID>595</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048" />
+<EventRecordID>596</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048" />
+<EventRecordID>597</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048" />
+<EventRecordID>598</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.492048" />
+<EventRecordID>599</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648" />
+<EventRecordID>600</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648" />
+<EventRecordID>601</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648" />
+<EventRecordID>602</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.507648" />
+<EventRecordID>603</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.523249" />
+<EventRecordID>604</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\advapi32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.523249" />
+<EventRecordID>605</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.523249" />
+<EventRecordID>606</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849" />
+<EventRecordID>607</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849" />
+<EventRecordID>608</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849" />
+<EventRecordID>609</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.538849" />
+<EventRecordID>610</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451" />
+<EventRecordID>611</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451" />
+<EventRecordID>612</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451" />
+<EventRecordID>613</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451" />
+<EventRecordID>614</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.554451" />
+<EventRecordID>615</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051" />
+<EventRecordID>616</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051" />
+<EventRecordID>617</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051" />
+<EventRecordID>618</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.570051" />
+<EventRecordID>619</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.585651" />
+<EventRecordID>620</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tdh.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.585651" />
+<EventRecordID>621</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.585651" />
+<EventRecordID>622</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250" />
+<EventRecordID>623</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250" />
+<EventRecordID>624</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250" />
+<EventRecordID>625</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.601250" />
+<EventRecordID>626</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850" />
+<EventRecordID>627</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850" />
+<EventRecordID>628</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850" />
+<EventRecordID>629</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.616850" />
+<EventRecordID>630</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450" />
+<EventRecordID>631</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450" />
+<EventRecordID>632</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450" />
+<EventRecordID>633</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.632450" />
+<EventRecordID>634</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050" />
+<EventRecordID>635</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050" />
+<EventRecordID>636</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050" />
+<EventRecordID>637</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.648050" />
+<EventRecordID>638</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.663651" />
+<EventRecordID>639</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.663651" />
+<EventRecordID>640</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.663651" />
+<EventRecordID>641</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251" />
+<EventRecordID>642</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\advapi32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251" />
+<EventRecordID>643</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251" />
+<EventRecordID>644</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.679251" />
+<EventRecordID>645</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851" />
+<EventRecordID>646</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851" />
+<EventRecordID>647</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851" />
+<EventRecordID>648</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.694851" />
+<EventRecordID>649</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451" />
+<EventRecordID>650</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451" />
+<EventRecordID>651</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451" />
+<EventRecordID>652</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.710451" />
+<EventRecordID>653</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.726051" />
+<EventRecordID>654</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:58.726051" />
+<EventRecordID>655</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050" />
+<EventRecordID>656</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050" />
+<EventRecordID>657</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\D3DCompiler_47.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050" />
+<EventRecordID>658</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.038050" />
+<EventRecordID>659</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ie9props.propdesc</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.053650" />
+<EventRecordID>660</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\JSProfilerCore.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.053650" />
+<EventRecordID>661</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsprofilerui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250" />
+<EventRecordID>662</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\pdm.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250" />
+<EventRecordID>663</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\pdmproxy100.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250" />
+<EventRecordID>664</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.069250" />
+<EventRecordID>665</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ExtExport.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.084850" />
+<EventRecordID>666</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\sqmapi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.084850" />
+<EventRecordID>667</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.100451" />
+<EventRecordID>668</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsdbgui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.100451" />
+<EventRecordID>669</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\msdbg2.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.100451" />
+<EventRecordID>670</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\networkinspection.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051" />
+<EventRecordID>671</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\iedvtool.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051" />
+<EventRecordID>672</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051" />
+<EventRecordID>673</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ieproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.116051" />
+<EventRecordID>674</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ieinstal.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.131651" />
+<EventRecordID>675</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\F12Tools.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.131651" />
+<EventRecordID>676</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\IEShims.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.131651" />
+<EventRecordID>677</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd">S:AI</Data>
+<Data Name="NewSd" />
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.147251" />
+<EventRecordID>678</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.194050" />
+<EventRecordID>679</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.209650" />
+<EventRecordID>680</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.209650" />
+<EventRecordID>681</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\iedvtool.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250" />
+<EventRecordID>682</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\DiagnosticsTap.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250" />
+<EventRecordID>683</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250" />
+<EventRecordID>684</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.225250" />
+<EventRecordID>685</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\networkinspection.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.240850" />
+<EventRecordID>686</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.240850" />
+<EventRecordID>687</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451" />
+<EventRecordID>688</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451" />
+<EventRecordID>689</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline_is.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451" />
+<EventRecordID>690</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\pdm.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.256451" />
+<EventRecordID>691</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\msdbg2.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.272051" />
+<EventRecordID>692</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.272051" />
+<EventRecordID>693</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\JSProfilerCore.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651" />
+<EventRecordID>694</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ielowutil.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651" />
+<EventRecordID>695</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ieinstal.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651" />
+<EventRecordID>696</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\IEShims.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.287651" />
+<EventRecordID>697</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\pdmproxy100.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.303251" />
+<EventRecordID>698</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\perfcore.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.303251" />
+<EventRecordID>699</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\D3DCompiler_47.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.303251" />
+<EventRecordID>700</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\iedvtool.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.318851" />
+<EventRecordID>701</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ieproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.318851" />
+<EventRecordID>702</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsTap.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.318851" />
+<EventRecordID>703</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\iediagcmd.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450" />
+<EventRecordID>704</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\perf_nt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450" />
+<EventRecordID>705</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450" />
+<EventRecordID>706</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\F12Tools.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.334450" />
+<EventRecordID>707</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\jsdebuggeride.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.412451" />
+<EventRecordID>708</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\networkinspection.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.412451" />
+<EventRecordID>709</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\jsprofilerui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.412451" />
+<EventRecordID>710</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub.ScriptedSandboxPlugin.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.428051" />
+<EventRecordID>711</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\MemoryAnalyzer.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.428051" />
+<EventRecordID>712</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\F12Resources.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.428051" />
+<EventRecordID>713</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\ie9props.propdesc</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651" />
+<EventRecordID>714</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\jsdbgui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651" />
+<EventRecordID>715</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\F12.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651" />
+<EventRecordID>716</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.443651" />
+<EventRecordID>717</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline.cpu.xml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.459251" />
+<EventRecordID>718</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\sqmapi.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.459251" />
+<EventRecordID>719</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.459251" />
+<EventRecordID>720</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.474850" />
+<EventRecordID>721</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.474850" />
+<EventRecordID>722</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.474850" />
+<EventRecordID>723</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.490450" />
+<EventRecordID>724</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.506050" />
+<EventRecordID>725</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.506050" />
+<EventRecordID>726</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.506050" />
+<EventRecordID>727</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.521652" />
+<EventRecordID>728</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\eula.rtf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.599651" />
+<EventRecordID>729</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.599651" />
+<EventRecordID>730</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\images\bing.ico</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.599651" />
+<EventRecordID>731</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Program Files\Internet Explorer\SIGNUP\install.ins</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd">S:AI</Data>
+<Data Name="NewSd" />
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.615252" />
+<EventRecordID>732</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieapfltr.dat</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.615252" />
+<EventRecordID>733</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\url.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.630852" />
+<EventRecordID>734</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshta.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.630852" />
+<EventRecordID>735</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jsproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.630852" />
+<EventRecordID>736</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieUnatt.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452" />
+<EventRecordID>737</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452" />
+<EventRecordID>738</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtmlmedia.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452" />
+<EventRecordID>739</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieetwproxystub.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452" />
+<EventRecordID>740</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jsIntl.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.646452" />
+<EventRecordID>741</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\RegisterIEPKEYs.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.662052" />
+<EventRecordID>742</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iepeers.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.662052" />
+<EventRecordID>743</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\elshyph.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.662052" />
+<EventRecordID>744</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieframe.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.677652" />
+<EventRecordID>745</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ie4uinit.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.677652" />
+<EventRecordID>746</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\licmgr10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.693253" />
+<EventRecordID>747</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtmler.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.693253" />
+<EventRecordID>748</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iexpress.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.693253" />
+<EventRecordID>749</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\IEAdvpack.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.708853" />
+<EventRecordID>750</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\dxtrans.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.802452" />
+<EventRecordID>751</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wextract.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.818052" />
+<EventRecordID>752</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieetwcollectorres.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.818052" />
+<EventRecordID>753</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\SetIEInstalledDate.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.833652" />
+<EventRecordID>754</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wininet.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.833652" />
+<EventRecordID>755</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\MshtmlDac.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.849253" />
+<EventRecordID>756</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.849253" />
+<EventRecordID>757</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\JavaScriptCollectionAgent.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.849253" />
+<EventRecordID>758</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msfeedssync.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.864853" />
+<EventRecordID>759</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\webcheck.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.864853" />
+<EventRecordID>760</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\MsSpellCheckingFacility.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.880453" />
+<EventRecordID>761</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\icardie.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.880453" />
+<EventRecordID>762</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iertutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.896051" />
+<EventRecordID>763</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\pngfilt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.896051" />
+<EventRecordID>764</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msls31.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.911652" />
+<EventRecordID>765</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieetwcollector.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.911652" />
+<EventRecordID>766</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jscript9diag.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.927252" />
+<EventRecordID>767</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iedkcs32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.942852" />
+<EventRecordID>768</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iesetup.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.942852" />
+<EventRecordID>769</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iernonce.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.942852" />
+<EventRecordID>770</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\vbscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.958452" />
+<EventRecordID>771</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\inseng.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.958452" />
+<EventRecordID>772</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\iesysprep.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052" />
+<EventRecordID>773</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\inetcpl.cpl</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052" />
+<EventRecordID>774</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\jscript9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052" />
+<EventRecordID>775</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\occache.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.974052" />
+<EventRecordID>776</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieapfltr.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.989653" />
+<EventRecordID>777</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\html.iec</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:18:59.989653" />
+<EventRecordID>778</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\imgutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.005253" />
+<EventRecordID>779</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msfeeds.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.005253" />
+<EventRecordID>780</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\ieuinit.inf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.005253" />
+<EventRecordID>781</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\tdc.ocx</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.020853" />
+<EventRecordID>782</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtml.tlb</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.020853" />
+<EventRecordID>783</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtml.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.036451" />
+<EventRecordID>784</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\mshtmled.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.036451" />
+<EventRecordID>785</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\urlmon.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.052052" />
+<EventRecordID>786</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msfeedsbs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.052052" />
+<EventRecordID>787</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\msrating.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.052052" />
+<EventRecordID>788</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\dxtmsft.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.067652" />
+<EventRecordID>789</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iesetup.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.067652" />
+<EventRecordID>790</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshtmlmedia.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.083252" />
+<EventRecordID>791</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\icardie.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.098852" />
+<EventRecordID>792</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iepeers.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053" />
+<EventRecordID>793</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\IEAdvpack.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053" />
+<EventRecordID>794</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\jsIntl.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053" />
+<EventRecordID>795</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\occache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.130053" />
+<EventRecordID>796</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\MsSpellCheckingFacility.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.145653" />
+<EventRecordID>797</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\wextract.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.145653" />
+<EventRecordID>798</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieunatt.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.145653" />
+<EventRecordID>799</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ie4uinit.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.161253" />
+<EventRecordID>800</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iernonce.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.161253" />
+<EventRecordID>801</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\elshyph.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.161253" />
+<EventRecordID>802</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\jscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.176851" />
+<EventRecordID>803</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\msrating.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.176851" />
+<EventRecordID>804</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieframe.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.176851" />
+<EventRecordID>805</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\msfeedsbs.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.192451" />
+<EventRecordID>806</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\vbscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.192451" />
+<EventRecordID>807</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.208052" />
+<EventRecordID>808</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\html.iec.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.208052" />
+<EventRecordID>809</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iexpress.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.223652" />
+<EventRecordID>810</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshtmler.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.223652" />
+<EventRecordID>811</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\urlmon.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.223652" />
+<EventRecordID>812</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\jscript9.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.239252" />
+<EventRecordID>813</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\iedkcs32.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.239252" />
+<EventRecordID>814</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\webcheck.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.239252" />
+<EventRecordID>815</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\wininet.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.254852" />
+<EventRecordID>816</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshta.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.254852" />
+<EventRecordID>817</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\licmgr10.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.270452" />
+<EventRecordID>818</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\mshtml.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.270452" />
+<EventRecordID>819</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\inseng.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053" />
+<EventRecordID>820</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\inetcpl.cpl.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053" />
+<EventRecordID>821</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\en-US\ieetwcollectorres.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053" />
+<EventRecordID>822</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\spp\tokens\ppdlic\Microsoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.286053" />
+<EventRecordID>823</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\Microsoft-Windows-IE-HTMLRendering.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.301653" />
+<EventRecordID>824</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\ieframe.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.301653" />
+<EventRecordID>825</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\Microsoft-Windows-IE-F12-Provider.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.317253" />
+<EventRecordID>826</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\System32\migration\WininetPlugin.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.317253" />
+<EventRecordID>827</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\PolicyDefinitions\inetres.admx</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.332851" />
+<EventRecordID>828</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\PolicyDefinitions\en-US\InetRes.adml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.410854" />
+<EventRecordID>829</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieapfltr.dat</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.410854" />
+<EventRecordID>830</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshta.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.426455" />
+<EventRecordID>831</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jsproxy.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.426455" />
+<EventRecordID>832</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\url.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.426455" />
+<EventRecordID>833</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieUnatt.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055" />
+<EventRecordID>834</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieui.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055" />
+<EventRecordID>835</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtmlmedia.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055" />
+<EventRecordID>836</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jsIntl.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.442055" />
+<EventRecordID>837</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieetwproxystub.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.457653" />
+<EventRecordID>838</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\RegisterIEPKEYs.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.457653" />
+<EventRecordID>839</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\elshyph.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.457653" />
+<EventRecordID>840</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iepeers.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.473253" />
+<EventRecordID>841</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieframe.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.473253" />
+<EventRecordID>842</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\licmgr10.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853" />
+<EventRecordID>843</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtmler.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853" />
+<EventRecordID>844</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iexpress.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853" />
+<EventRecordID>845</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\IEAdvpack.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.488853" />
+<EventRecordID>846</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wextract.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.504454" />
+<EventRecordID>847</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\dxtrans.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.504454" />
+<EventRecordID>848</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wininet.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.520054" />
+<EventRecordID>849</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\SetIEInstalledDate.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.520054" />
+<EventRecordID>850</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\MshtmlDac.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.520054" />
+<EventRecordID>851</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.535654" />
+<EventRecordID>852</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.535654" />
+<EventRecordID>853</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msfeedssync.exe</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.535654" />
+<EventRecordID>854</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\webcheck.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.551254" />
+<EventRecordID>855</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\icardie.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.551254" />
+<EventRecordID>856</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iertutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.566854" />
+<EventRecordID>857</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\pngfilt.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.582455" />
+<EventRecordID>858</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jscript9diag.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.582455" />
+<EventRecordID>859</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msls31.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.598053" />
+<EventRecordID>860</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iedkcs32.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.598053" />
+<EventRecordID>861</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iesetup.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.613653" />
+<EventRecordID>862</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iernonce.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.613653" />
+<EventRecordID>863</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\vbscript.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.613653" />
+<EventRecordID>864</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\iesysprep.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.629253" />
+<EventRecordID>865</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\inseng.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.629253" />
+<EventRecordID>866</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\jscript9.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.629253" />
+<EventRecordID>867</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\occache.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.644854" />
+<EventRecordID>868</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\inetcpl.cpl</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.644854" />
+<EventRecordID>869</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieapfltr.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.644854" />
+<EventRecordID>870</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\html.iec</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.660454" />
+<EventRecordID>871</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\imgutil.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.660454" />
+<EventRecordID>872</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msfeeds.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.660454" />
+<EventRecordID>873</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\ieuinit.inf</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.676054" />
+<EventRecordID>874</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\tdc.ocx</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.676054" />
+<EventRecordID>875</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtml.tlb</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.676054" />
+<EventRecordID>876</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtml.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.691654" />
+<EventRecordID>877</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\mshtmled.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.691654" />
+<EventRecordID>878</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\urlmon.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.691654" />
+<EventRecordID>879</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msfeedsbs.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.707254" />
+<EventRecordID>880</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\msrating.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.707254" />
+<EventRecordID>881</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\dxtmsft.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.722855" />
+<EventRecordID>882</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\webcheck.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.722855" />
+<EventRecordID>883</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iernonce.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.722855" />
+<EventRecordID>884</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\inseng.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.738453" />
+<EventRecordID>885</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\html.iec.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.738453" />
+<EventRecordID>886</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\msrating.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.738453" />
+<EventRecordID>887</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\wininet.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.754053" />
+<EventRecordID>888</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieui.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.754053" />
+<EventRecordID>889</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\elshyph.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.769653" />
+<EventRecordID>890</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iexpress.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.769653" />
+<EventRecordID>891</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieetwcollectorres.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.769653" />
+<EventRecordID>892</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\occache.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.785254" />
+<EventRecordID>893</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieframe.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.785254" />
+<EventRecordID>894</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshta.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.785254" />
+<EventRecordID>895</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtml.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.800854" />
+<EventRecordID>896</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\wextract.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.800854" />
+<EventRecordID>897</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iesetup.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.800854" />
+<EventRecordID>898</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieunatt.exe.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.816454" />
+<EventRecordID>899</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\licmgr10.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.816454" />
+<EventRecordID>900</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtmler.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.832054" />
+<EventRecordID>901</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\jscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.832054" />
+<EventRecordID>902</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\vbscript.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.832054" />
+<EventRecordID>903</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iepeers.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.847654" />
+<EventRecordID>904</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\IEAdvpack.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.863255" />
+<EventRecordID>905</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\msfeedsbs.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.863255" />
+<EventRecordID>906</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtmlmedia.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.878855" />
+<EventRecordID>907</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iedkcs32.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.878855" />
+<EventRecordID>908</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\urlmon.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.878855" />
+<EventRecordID>909</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\inetcpl.cpl.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.894453" />
+<EventRecordID>910</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\jscript9.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.894453" />
+<EventRecordID>911</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\en-US\icardie.dll.mui</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.894453" />
+<EventRecordID>912</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wdi\perftrack\wow64_ieframe.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.910053" />
+<EventRecordID>913</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\wdi\perftrack\wow64_Microsoft-Windows-IE-HTMLRendering.ptxml</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.910053" />
+<EventRecordID>914</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\SysWOW64\migration\WininetPlugin.dll</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.941254" />
+<EventRecordID>915</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.acl</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.956854" />
+<EventRecordID>916</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.dub</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.956854" />
+<EventRecordID>917</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.lex</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:00.972454" />
+<EventRecordID>918</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="472" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7en.lex</Data>
+<Data Name="HandleId">0x000000000000001c</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+<Data Name="ProcessId">0x0000000000000cdc</Data>
+<Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:42.967728" />
+<EventRecordID>919</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="728" ThreadID="2476" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:42.515327" />
+<EventRecordID>920</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001c0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:19:42.515327" />
+<EventRecordID>921</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="456" ThreadID="492" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:31.655058" />
+<EventRecordID>922</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:31.655058" />
+<EventRecordID>923</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:32.388258" />
+<EventRecordID>924</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="552" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000c957</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.493498" />
+<EventRecordID>925</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.493498" />
+<EventRecordID>926</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.649498" />
+<EventRecordID>927</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.649498" />
+<EventRecordID>928</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.758699" />
+<EventRecordID>929</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.758699" />
+<EventRecordID>930</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.821098" />
+<EventRecordID>931</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.821098" />
+<EventRecordID>932</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.899099" />
+<EventRecordID>933</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:54.899099" />
+<EventRecordID>934</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:56.427902" />
+<EventRecordID>935</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:22:56.427902" />
+<EventRecordID>936</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.059311" />
+<EventRecordID>937</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="624" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.059311" />
+<EventRecordID>938</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="624" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.418114" />
+<EventRecordID>939</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="52" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.714514" />
+<EventRecordID>940</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001a427</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:02.745712" />
+<EventRecordID>941</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="624" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:12.589331" />
+<EventRecordID>942</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:12.589331" />
+<EventRecordID>943</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:24.804152" />
+<EventRecordID>944</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="516" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\HyphenationDictionaries</Data>
+<Data Name="HandleId">0x00000000000002d4</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data>
+<Data Name="ProcessId">0x00000000000003e8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4907</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:23:24.850952" />
+<EventRecordID>945</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="516" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="ObjectServer">Security</Data>
+<Data Name="ObjectType">File</Data>
+<Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries</Data>
+<Data Name="HandleId">0x00000000000002d0</Data>
+<Data Name="OldSd" />
+<Data Name="NewSd">S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data>
+<Data Name="ProcessId">0x00000000000003e8</Data>
+<Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020" />
+<EventRecordID>946</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020" />
+<EventRecordID>947</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000056f8b</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020" />
+<EventRecordID>948</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000056fb9</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:24:03.773020" />
+<EventRecordID>949</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000056f8b</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:25:04.193928" />
+<EventRecordID>950</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:25:04.193928" />
+<EventRecordID>951</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:28:28.791111" />
+<EventRecordID>952</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="760" ThreadID="2512" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:28:28.026711" />
+<EventRecordID>953</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000056fb9</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:36.516434" />
+<EventRecordID>954</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:36.516434" />
+<EventRecordID>955</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="504" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:36.672434" />
+<EventRecordID>956</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="556" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000c54c</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:37.998434" />
+<EventRecordID>957</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:37.998434" />
+<EventRecordID>958</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.154436" />
+<EventRecordID>959</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.154436" />
+<EventRecordID>960</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.279236" />
+<EventRecordID>961</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.279236" />
+<EventRecordID>962</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.388435" />
+<EventRecordID>963</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.388435" />
+<EventRecordID>964</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.435236" />
+<EventRecordID>965</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.435236" />
+<EventRecordID>966</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.887638" />
+<EventRecordID>967</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:38.887638" />
+<EventRecordID>968</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:39.839441" />
+<EventRecordID>969</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="44" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:41.029442" />
+<EventRecordID>970</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:43:43.719446" />
+<EventRecordID>971</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001c185</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011" />
+<EventRecordID>972</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011" />
+<EventRecordID>973</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000224e3</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011" />
+<EventRecordID>974</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000022517</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:16.282011" />
+<EventRecordID>975</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:31.129238" />
+<EventRecordID>976</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:31.129238" />
+<EventRecordID>977</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:45.700264" />
+<EventRecordID>978</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:45:45.700264" />
+<EventRecordID>979</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:47:37.490059" />
+<EventRecordID>980</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:47:37.490059" />
+<EventRecordID>981</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="596" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:37.681681" />
+<EventRecordID>982</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000022517</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311" />
+<EventRecordID>983</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311" />
+<EventRecordID>984</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311" />
+<EventRecordID>985</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311" />
+<EventRecordID>986</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">admin11</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.524311" />
+<EventRecordID>987</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.539913" />
+<EventRecordID>988</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.617912" />
+<EventRecordID>989</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:51:54.617912" />
+<EventRecordID>990</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">admin11</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:10.872742" />
+<EventRecordID>991</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">admin11</Data>
+<Data Name="DisplayName">admin11</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 11:52:10 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:10.872742" />
+<EventRecordID>992</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:17.881954" />
+<EventRecordID>993</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777" />
+<EventRecordID>994</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777" />
+<EventRecordID>995</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777" />
+<EventRecordID>996</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.742777" />
+<EventRecordID>997</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">ITechTeam</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.758377" />
+<EventRecordID>998</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2568" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.773977" />
+<EventRecordID>999</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.805178" />
+<EventRecordID>1000</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="TargetUserName">Administrators</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-544</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:30.820778" />
+<EventRecordID>1001</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">ITechTeam</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:45.546404" />
+<EventRecordID>1002</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">ITechTeam</Data>
+<Data Name="DisplayName">ITechTeam</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 11:52:45 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:45.546404" />
+<EventRecordID>1003</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:52:52.694817" />
+<EventRecordID>1004</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">ITechTeam</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4728</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034" />
+<EventRecordID>1005</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">None</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4720</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034" />
+<EventRecordID>1006</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">%%1793</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x0</Data>
+<Data Name="NewUacValue">0x15</Data>
+<Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4722</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034" />
+<EventRecordID>1007</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.900034" />
+<EventRecordID>1008</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">temporary</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x15</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4732</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13826</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.915634" />
+<EventRecordID>1009</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="MemberName">-</Data>
+<Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">Users</Data>
+<Data Name="TargetDomainName">Builtin</Data>
+<Data Name="TargetSid">S-1-5-32-545</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.931234" />
+<EventRecordID>1010</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:01.978035" />
+<EventRecordID>1011</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">temporary</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">%%1794</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">%%1793</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:11.774855" />
+<EventRecordID>1012</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">temporary</Data>
+<Data Name="DisplayName">temporary</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">%%1793</Data>
+<Data Name="HomePath">%%1793</Data>
+<Data Name="ScriptPath">%%1793</Data>
+<Data Name="ProfilePath">%%1793</Data>
+<Data Name="UserWorkstations">%%1793</Data>
+<Data Name="PasswordLastSet">3/22/2015 11:53:11 AM</Data>
+<Data Name="AccountExpires">%%1794</Data>
+<Data Name="PrimaryGroupId">513</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">0x210</Data>
+<Data Name="NewUacValue">0x210</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">%%1797</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4724</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:11.774855" />
+<EventRecordID>1013</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="536" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4738</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13824</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:17.267263" />
+<EventRecordID>1014</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="Dummy">-</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000224e3</Data>
+<Data Name="PrivilegeList">-</Data>
+<Data Name="SamAccountName">-</Data>
+<Data Name="DisplayName">-</Data>
+<Data Name="UserPrincipalName">-</Data>
+<Data Name="HomeDirectory">-</Data>
+<Data Name="HomePath">-</Data>
+<Data Name="ScriptPath">-</Data>
+<Data Name="ProfilePath">-</Data>
+<Data Name="UserWorkstations">-</Data>
+<Data Name="PasswordLastSet">-</Data>
+<Data Name="AccountExpires">-</Data>
+<Data Name="PrimaryGroupId">-</Data>
+<Data Name="AllowedToDelegateTo">-</Data>
+<Data Name="OldUacValue">-</Data>
+<Data Name="NewUacValue">-</Data>
+<Data Name="UserAccountControl">-</Data>
+<Data Name="UserParameters">-</Data>
+<Data Name="SidHistory">-</Data>
+<Data Name="LogonHours">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112" />
+<EventRecordID>1015</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000007a0</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112" />
+<EventRecordID>1016</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b57</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000007a0</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112" />
+<EventRecordID>1017</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b71</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000007a0</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:53:44.310112" />
+<EventRecordID>1018</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserName">admin11</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000094b57</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:55:52.345053" />
+<EventRecordID>1019</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b71</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:55:57.259062" />
+<EventRecordID>1020</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x000000000000072c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:55:57.259062" />
+<EventRecordID>1021</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x000000000000072c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:56:45.514757" />
+<EventRecordID>1022</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b71</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:56:45.514757" />
+<EventRecordID>1023</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000094b57</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:56:58.020781" />
+<EventRecordID>1024</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589" />
+<EventRecordID>1025</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000954</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589" />
+<EventRecordID>1026</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354b3</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000954</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589" />
+<EventRecordID>1027</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354c8</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000954</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:02.435589" />
+<EventRecordID>1028</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2668" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="SubjectUserName">admin11</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000001354b3</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:41.899269" />
+<EventRecordID>1029</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354c8</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090" />
+<EventRecordID>1030</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000c1c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090" />
+<EventRecordID>1031</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b62</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000c1c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090" />
+<EventRecordID>1032</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b78</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000c1c</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:54.426090" />
+<EventRecordID>1033</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000157b62</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:55.533691" />
+<EventRecordID>1034</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b78</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:55.533691" />
+<EventRecordID>1035</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157b62</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:57:56.376093" />
+<EventRecordID>1036</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+<Data Name="TargetUserName">temporary</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:58:26.374947" />
+<EventRecordID>1037</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354c8</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 15:58:26.374947" />
+<EventRecordID>1038</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+<Data Name="TargetUserName">admin11</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000001354b3</Data>
+<Data Name="LogonType">2</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 16:00:09.652330" />
+<EventRecordID>1039</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="744" ThreadID="2916" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-22 16:00:08.607128" />
+<EventRecordID>1040</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="500" ThreadID="2272" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000022517</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:23.645645" />
+<EventRecordID>1041</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="496" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:23.661245" />
+<EventRecordID>1042</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="496" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:23.708046" />
+<EventRecordID>1043</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000bac4</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.659647" />
+<EventRecordID>1044</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.659647" />
+<EventRecordID>1045</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.800047" />
+<EventRecordID>1046</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.800047" />
+<EventRecordID>1047</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.862448" />
+<EventRecordID>1048</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.862448" />
+<EventRecordID>1049</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.940447" />
+<EventRecordID>1050</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:24.940447" />
+<EventRecordID>1051</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:25.065247" />
+<EventRecordID>1052</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:25.065247" />
+<EventRecordID>1053</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.244253" />
+<EventRecordID>1054</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.244253" />
+<EventRecordID>1055</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.424252" />
+<EventRecordID>1056</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="64" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:26.656254" />
+<EventRecordID>1057</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:28.422262" />
+<EventRecordID>1058</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001b9a4</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285" />
+<EventRecordID>1059</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001a8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285" />
+<EventRecordID>1060</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000002359c</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001a8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285" />
+<EventRecordID>1061</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000235cc</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001a8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:41.036285" />
+<EventRecordID>1062</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x000000000002359c</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:53.981310" />
+<EventRecordID>1063</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:24:53.981310" />
+<EventRecordID>1064</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:25:47.191999" />
+<EventRecordID>1065</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="56" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 17:25:47.192598</Data>
+<Data Name="NewTime">2015-03-23 17:25:47.191999</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:26:34.578482" />
+<EventRecordID>1066</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 17:26:34.578482" />
+<EventRecordID>1067</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 18:36:07.849930" />
+<EventRecordID>1068</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="4028" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 18:36:07.849930" />
+<EventRecordID>1069</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="4028" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 19:08:15.571480" />
+<EventRecordID>1070</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="52" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 18:57:01.113134</Data>
+<Data Name="NewTime">2015-03-23 19:08:15.571480</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 19:08:15.586599" />
+<EventRecordID>1071</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="64" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 19:08:15.571480</Data>
+<Data Name="NewTime">2015-03-23 19:08:15.570999</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 19:08:46.442999" />
+<EventRecordID>1072</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="52" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-23 19:08:46.443419</Data>
+<Data Name="NewTime">2015-03-23 19:08:46.442999</Data>
+<Data Name="ProcessId">0x0000000000000358</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:22.997030" />
+<EventRecordID>1073</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="2208" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:22.997030" />
+<EventRecordID>1074</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="2208" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:45.605478" />
+<EventRecordID>1075</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="3192" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:00:45.605478" />
+<EventRecordID>1076</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="3192" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:01.714952" />
+<EventRecordID>1077</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:01.714952" />
+<EventRecordID>1078</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:02.354555" />
+<EventRecordID>1079</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e4</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:02.354555" />
+<EventRecordID>1080</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:22.824591" />
+<EventRecordID>1081</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="2208" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000002c2083</Data>
+<Data Name="ProcessId">0x0000000000000d40</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:01:22.840191" />
+<EventRecordID>1082</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="2208" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000002c2083</Data>
+<Data Name="ProcessId">0x0000000000000d40</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 20:23:27.973217" />
+<EventRecordID>1083</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="2164" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000235cc</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">Company</Data>
+<Data Name="TargetDomainName">INFORMANT-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">Company-PC</Data>
+<Data Name="TargetInfo">Company-PC</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 21:02:53.551575" />
+<EventRecordID>1084</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="492" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000235cc</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-23 21:02:59.900787" />
+<EventRecordID>1085</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="724" ThreadID="3256" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:29.399240" />
+<EventRecordID>1086</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="500" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:29.399240" />
+<EventRecordID>1087</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="500" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:29.461641" />
+<EventRecordID>1088</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="548" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000b683</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.481653" />
+<EventRecordID>1089</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.481653" />
+<EventRecordID>1090</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.653254" />
+<EventRecordID>1091</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.653254" />
+<EventRecordID>1092</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.715654" />
+<EventRecordID>1093</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="564" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.715654" />
+<EventRecordID>1094</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="564" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.824854" />
+<EventRecordID>1095</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.824854" />
+<EventRecordID>1096</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.902853" />
+<EventRecordID>1097</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:36.902853" />
+<EventRecordID>1098</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:37.949461" />
+<EventRecordID>1099</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="564" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:37.949461" />
+<EventRecordID>1100</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="564" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:38.131464" />
+<EventRecordID>1101</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="52" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:38.323465" />
+<EventRecordID>1102</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="564" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:38.835484" />
+<EventRecordID>1103</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001c0ce</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509" />
+<EventRecordID>1104</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509" />
+<EventRecordID>1105</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000002269c</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509" />
+<EventRecordID>1106</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000226c4</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:44.983509" />
+<EventRecordID>1107</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x000000000002269c</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:57.353931" />
+<EventRecordID>1108</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:21:57.353931" />
+<EventRecordID>1109</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:23:40.220510" />
+<EventRecordID>1110</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:23:40.220510" />
+<EventRecordID>1111</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="532" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 13:47:06.075186" />
+<EventRecordID>1112</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="1740" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000000226c4</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">Company</Data>
+<Data Name="TargetDomainName">INFORMANT-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">Company-PC</Data>
+<Data Name="TargetInfo">Company-PC</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:14:30.786434" />
+<EventRecordID>1113</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:14:30.786434" />
+<EventRecordID>1114</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="560" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.226231" />
+<EventRecordID>1115</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2160" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.226231" />
+<EventRecordID>1116</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2160" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.507030" />
+<EventRecordID>1117</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2160" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:21:38.507030" />
+<EventRecordID>1118</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2160" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:22:39.911482" />
+<EventRecordID>1119</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2904" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:22:39.911482" />
+<EventRecordID>1120</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2904" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:46:14.466702" />
+<EventRecordID>1121</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="1716" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 15:46:14.466702" />
+<EventRecordID>1122</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="1716" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791" />
+<EventRecordID>1123</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791" />
+<EventRecordID>1124</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabcf</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791" />
+<EventRecordID>1125</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabdd</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001b8</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791" />
+<EventRecordID>1126</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x00000000006cabcf</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791" />
+<EventRecordID>1127</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabdd</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 18:28:38.261791" />
+<EventRecordID>1128</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="988" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000006cabcf</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 20:58:52.193810" />
+<EventRecordID>1129</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2068" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001e8</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 20:58:52.193810" />
+<EventRecordID>1130</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="2068" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 21:07:25.488918" />
+<EventRecordID>1131</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="496" ThreadID="3392" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x00000000000226c4</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-24 21:07:26.799320" />
+<EventRecordID>1132</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="760" ThreadID="4048" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4608</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:41.968834" />
+<EventRecordID>1133</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="476" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:41.968834" />
+<EventRecordID>1134</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="476" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">0</Data>
+<Data Name="LogonProcessName">-</Data>
+<Data Name="AuthenticationPackageName">-</Data>
+<Data Name="WorkstationName">-</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000004</Data>
+<Data Name="ProcessName" />
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4902</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:42.468035" />
+<EventRecordID>1135</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="524" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="PuaCount">0</Data>
+<Data Name="PuaPolicyId">0x000000000000ba7d</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:42.592834" />
+<EventRecordID>1136</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:42.592834" />
+<EventRecordID>1137</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.372837" />
+<EventRecordID>1138</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-20</Data>
+<Data Name="TargetUserName">NETWORK SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e4</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.372837" />
+<EventRecordID>1139</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
+<Data Name="SubjectUserName">NETWORK SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e4</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.497637" />
+<EventRecordID>1140</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-19</Data>
+<Data Name="TargetUserName">LOCAL SERVICE</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e5</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.497637" />
+<EventRecordID>1141</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.638037" />
+<EventRecordID>1142</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.638037" />
+<EventRecordID>1143</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.669237" />
+<EventRecordID>1144</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:43.669237" />
+<EventRecordID>1145</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:45.556839" />
+<EventRecordID>1146</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:45.556839" />
+<EventRecordID>1147</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5033</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:45.777241" />
+<EventRecordID>1148</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="64" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">5024</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12292</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:46.425243" />
+<EventRecordID>1149</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="508" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData />
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:05:48.117256" />
+<EventRecordID>1150</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-0-0</Data>
+<Data Name="SubjectUserName">-</Data>
+<Data Name="SubjectDomainName">-</Data>
+<Data Name="SubjectLogonId">0x0000000000000000</Data>
+<Data Name="TargetUserSid">S-1-5-7</Data>
+<Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x000000000001c0d1</Data>
+<Data Name="LogonType">3</Data>
+<Data Name="LogonProcessName">NtLmSsp </Data>
+<Data Name="AuthenticationPackageName">NTLM</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">NTLM V1</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000000</Data>
+<Data Name="ProcessName">-</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298" />
+<EventRecordID>1151</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298" />
+<EventRecordID>1152</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000025465</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298" />
+<EventRecordID>1153</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000025493</Data>
+<Data Name="LogonType">2</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:08.919298" />
+<EventRecordID>1154</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="520" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000025465</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:16.402313" />
+<EventRecordID>1155</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:06:16.402313" />
+<EventRecordID>1156</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:07:49.222477" />
+<EventRecordID>1157</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:07:49.222477" />
+<EventRecordID>1158</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="540" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:23:59.668980" />
+<EventRecordID>1159</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 13:23:59.668980" />
+<EventRecordID>1160</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:13:47.009901" />
+<EventRecordID>1161</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="44" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-25 13:29:46.566790</Data>
+<Data Name="NewTime">2015-03-25 14:13:47.009901</Data>
+<Data Name="ProcessId">0x0000000000000330</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:13:47.025000" />
+<EventRecordID>1162</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="48" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-25 14:13:47.025499</Data>
+<Data Name="NewTime">2015-03-25 14:13:47.025000</Data>
+<Data Name="ProcessId">0x0000000000000330</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:31:53.299805" />
+<EventRecordID>1163</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2772" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:31:53.299805" />
+<EventRecordID>1164</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2772" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4648</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204" />
+<EventRecordID>1165</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="1064" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TargetServerName">localhost</Data>
+<Data Name="TargetInfo">localhost</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204" />
+<EventRecordID>1166</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="1064" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157773</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204" />
+<EventRecordID>1167</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="1064" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000015777f</Data>
+<Data Name="LogonType">7</Data>
+<Data Name="LogonProcessName">User32 </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName">INFORMANT-PC</Data>
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x0000000000000194</Data>
+<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+<Data Name="IpAddress">127.0.0.1</Data>
+<Data Name="IpPort">0</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204" />
+<EventRecordID>1168</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="1064" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="SubjectUserName">informant</Data>
+<Data Name="SubjectDomainName">informant-PC</Data>
+<Data Name="SubjectLogonId">0x0000000000157773</Data>
+<Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204" />
+<EventRecordID>1169</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="1064" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x000000000015777f</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4634</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:45:59.180204" />
+<EventRecordID>1170</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="1064" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000157773</Data>
+<Data Name="LogonType">7</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:28.948605" />
+<EventRecordID>1171</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2304" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:28.948605" />
+<EventRecordID>1172</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2304" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.305803" />
+<EventRecordID>1173</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2304" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.305803" />
+<EventRecordID>1174</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2304" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.430605" />
+<EventRecordID>1175</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:30.430605" />
+<EventRecordID>1176</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2592" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:45.235004" />
+<EventRecordID>1177</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2888" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001aa8e7</Data>
+<Data Name="ProcessId">0x0000000000000934</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:45.235004" />
+<EventRecordID>1178</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2888" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x00000000001aa8e7</Data>
+<Data Name="ProcessId">0x0000000000000934</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:50.960205" />
+<EventRecordID>1179</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2888" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:50:50.960205" />
+<EventRecordID>1180</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="2888" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:56:55.922205" />
+<EventRecordID>1181</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="3772" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:56:55.922205" />
+<EventRecordID>1182</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="3772" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.230204" />
+<EventRecordID>1183</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.230204" />
+<EventRecordID>1184</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.479805" />
+<EventRecordID>1185</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:18.479805" />
+<EventRecordID>1186</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4904</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:33.393404" />
+<EventRecordID>1187</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="4040" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000245dcb</Data>
+<Data Name="ProcessId">0x0000000000000aa4</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4905</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>13568</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 14:57:33.393404" />
+<EventRecordID>1188</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="4040" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="AuditSourceName">VSSAudit</Data>
+<Data Name="EventSourceId">0x0000000000245dcb</Data>
+<Data Name="ProcessId">0x0000000000000aa4</Data>
+<Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4624</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12544</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:18:54.221603" />
+<EventRecordID>1189</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">INFORMANT-PC$</Data>
+<Data Name="SubjectDomainName">WORKGROUP</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="TargetUserSid">S-1-5-18</Data>
+<Data Name="TargetUserName">SYSTEM</Data>
+<Data Name="TargetDomainName">NT AUTHORITY</Data>
+<Data Name="TargetLogonId">0x00000000000003e7</Data>
+<Data Name="LogonType">5</Data>
+<Data Name="LogonProcessName">Advapi  </Data>
+<Data Name="AuthenticationPackageName">Negotiate</Data>
+<Data Name="WorkstationName" />
+<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+<Data Name="TransmittedServices">-</Data>
+<Data Name="LmPackageName">-</Data>
+<Data Name="KeyLength">0</Data>
+<Data Name="ProcessId">0x00000000000001d0</Data>
+<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+<Data Name="IpAddress">-</Data>
+<Data Name="IpPort">-</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4672</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12548</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:18:54.221603" />
+<EventRecordID>1190</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="528" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
+<Data Name="SubjectUserName">SYSTEM</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e7</Data>
+<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4647</EventID>
+<Version>0</Version>
+<Level>0</Level>
+<Task>12545</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:30:57.775204" />
+<EventRecordID>1191</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="472" ThreadID="3968" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+<Data Name="TargetUserName">informant</Data>
+<Data Name="TargetDomainName">informant-PC</Data>
+<Data Name="TargetLogonId">0x0000000000025493</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing" />
+<EventID Qualifiers="">4616</EventID>
+<Version>1</Version>
+<Level>0</Level>
+<Task>12288</Task>
+<Opcode>0</Opcode>
+<Keywords>0x8020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:31:00.240000" />
+<EventRecordID>1192</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="4" ThreadID="64" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<EventData><Data Name="SubjectUserSid">S-1-5-19</Data>
+<Data Name="SubjectUserName">LOCAL SERVICE</Data>
+<Data Name="SubjectDomainName">NT AUTHORITY</Data>
+<Data Name="SubjectLogonId">0x00000000000003e5</Data>
+<Data Name="PreviousTime">2015-03-25 15:31:00.240004</Data>
+<Data Name="NewTime">2015-03-25 15:31:00.240000</Data>
+<Data Name="ProcessId">0x0000000000000330</Data>
+<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+</EventData>
+</Event>
+
+<Event><System><Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog" />
+<EventID Qualifiers="">1100</EventID>
+<Version>0</Version>
+<Level>4</Level>
+<Task>103</Task>
+<Opcode>0</Opcode>
+<Keywords>0x4020000000000000</Keywords>
+<TimeCreated SystemTime="2015-03-25 15:31:00.364799" />
+<EventRecordID>1193</EventRecordID>
+<Correlation ActivityID="" RelatedActivityID="" />
+<Execution ProcessID="752" ThreadID="3912" />
+<Channel>Security</Channel>
+<Computer>informant-PC</Computer>
+<Security UserID="" />
+</System>
+<UserData><ServiceShutdown />
+</UserData>
+</Event>
+
+</Events>
\ No newline at end of file
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore.xml b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore.xml
new file mode 100644
index 0000000..3f0376a
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bookstore>
+  <book category="cooking">
+    <title lang="en">Everyday Italian</title>
+    <author>Giada De Laurentiis</author>
+    <year>2005</year>
+    <price>30.00</price>
+  </book>
+  <book category="children">
+    <title lang="en">Harry Potter</title>
+    <author>J K. Rowling</author>
+    <year>2005</year>
+    <price>29.99</price>
+  </book>
+  <book category="web">
+    <title lang="en">Learning XML</title>
+    <author>Erik T. Ray</author>
+    <year>2003</year>
+    <price>39.95</price>
+  </book>
+</bookstore>
\ No newline at end of file
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_book_category_attrib.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_book_category_attrib.py
new file mode 100644
index 0000000..36e0a1f
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_book_category_attrib.py
@@ -0,0 +1,10 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore_removed_ns.xml")
+root = tree.getroot()
+
+# Iterate through the book elements and print their category attributes
+for book in root.findall(".//book"):  # Find all 'book' elements at any depth
+    # Get book category attribute
+    cate = book.attrib.get("category")
+    print("book category: {}".format(cate))
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_tags.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_tags.py
new file mode 100644
index 0000000..b760977
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_tags.py
@@ -0,0 +1,16 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+# Create an empty set to store unique tag names
+tag_names = set()
+
+# Iterate through the elements and collect unique tag names
+for element in root.iter():
+    tag_names.add(element.tag)
+
+# Convert the set to a sorted list and print the tag names
+tag_list = sorted(tag_names)
+for tag in tag_list:
+    print(tag)
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_titles_v1.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_titles_v1.py
new file mode 100644
index 0000000..93914fc
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_titles_v1.py
@@ -0,0 +1,11 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+# Iterate through the book elements and print their titles
+for book in root.findall(".//book"):  # Find all 'book' elements at any depth
+    # Find the first 'title' elements at current depth
+    title_element = book.find("title")
+    if title_element is not None:
+        print("Book Title: {}".format(title_element.text))
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_titles_v2.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_titles_v2.py
new file mode 100644
index 0000000..5dd52b2
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_list_titles_v2.py
@@ -0,0 +1,8 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+# Find and print all the "year" elements
+for title_element in root.findall(".//title"):
+    print(title_element.text)
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_ns.xml b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_ns.xml
new file mode 100644
index 0000000..faba862
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_ns.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bookstore xmlns="http://schemas.exampl.com">
+  <book category="cooking">
+    <title lang="en">Everyday Italian</title>
+    <author>Giada De Laurentiis</author>
+    <year>2005</year>
+    <price>30.00</price>
+  </book>
+  <book category="children">
+    <title lang="en">Harry Potter</title>
+    <author>J K. Rowling</author>
+    <year>2005</year>
+    <price>29.99</price>
+  </book>
+  <book category="web">
+    <title lang="en">Learning XML</title>
+    <author>Erik T. Ray</author>
+    <year>2003</year>
+    <price>39.95</price>
+  </book>
+</bookstore>
\ No newline at end of file
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_remove_ns.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_remove_ns.py
new file mode 100644
index 0000000..a6b4da7
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_remove_ns.py
@@ -0,0 +1,23 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+
+# Define a function to recursively remove all namespace prefixes
+def remove_namespace_prefix(element):
+    print(element.tag)
+    element.tag = element.tag.split("}", 1)[-1]  # Remove namespace prefix
+    for child in element:
+        remove_namespace_prefix(child)
+
+
+# Remove namespace prefixes from the root element and its descendants
+remove_namespace_prefix(root)
+
+# Convert the modified XML tree to a string
+modified_xml = ET.tostring(root, encoding="utf-8")
+
+# Save the updated XML to a new file
+with open("bookstore_removed_ns.xml", "wb") as f:
+    f.write(modified_xml)
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_removed_ns.xml b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_removed_ns.xml
new file mode 100644
index 0000000..92266b6
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_removed_ns.xml
@@ -0,0 +1,20 @@
+<bookstore>
+  <book category="cooking">
+    <title lang="en">Everyday Italian</title>
+    <author>Giada De Laurentiis</author>
+    <year>2005</year>
+    <price>30.00</price>
+  </book>
+  <book category="children">
+    <title lang="en">Harry Potter</title>
+    <author>J K. Rowling</author>
+    <year>2005</year>
+    <price>29.99</price>
+  </book>
+  <book category="web">
+    <title lang="en">Learning XML</title>
+    <author>Erik T. Ray</author>
+    <year>2003</year>
+    <price>39.95</price>
+  </book>
+</bookstore>
\ No newline at end of file
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_show_first_book.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_show_first_book.py
new file mode 100644
index 0000000..baceb9c
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_show_first_book.py
@@ -0,0 +1,12 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+# Access the first child element of the root directly using indexing
+first_element = root[0]
+
+# Print the tag name and text content of the first element
+print("Tag Name:", first_element.tag)
+for child in first_element:
+    print(f"{child.tag}: {child.text}")
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_update_one_author.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_update_one_author.py
new file mode 100644
index 0000000..c5afd4e
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_update_one_author.py
@@ -0,0 +1,15 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+# Find the "author" element with the current name and update it
+for author_element in root.findall(".//author"):
+    if author_element.text == "Giada De Laurentiis":
+        author_element.text = "Giada Laurentiis"
+
+# Serialize the updated XML to a string
+updated_xml_content = ET.tostring(root, encoding="utf-8")
+
+# Print the updated XML content
+print(updated_xml_content.decode("utf-8"))
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_update_price_plus1.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_update_price_plus1.py
new file mode 100644
index 0000000..f3f381d
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/bookstore_update_price_plus1.py
@@ -0,0 +1,17 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("bookstore.xml")
+root = tree.getroot()
+
+# Find and update all the "price" elements
+for price_element in root.findall(".//price"):
+    current_price = float(price_element.text)
+    new_price = current_price + 1
+    price_element.text = str(new_price)
+
+# Serialize the updated XML to a string
+updated_xml_content = ET.tostring(root, encoding="utf-8")
+
+# Save the updated XML to a new file
+with open("bookstore_updated.xml", "wb") as f:
+    f.write(updated_xml_content)
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityEvt_formatted.xml b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityEvt_formatted.xml
new file mode 100644
index 0000000..a046350
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityEvt_formatted.xml
@@ -0,0 +1,39045 @@
+<?xml version="1.0" ?>
+<Events>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:35.248869"/>
+      <EventRecordID>1</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:35.311270"/>
+      <EventRecordID>2</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.089672"/>
+      <EventRecordID>3</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="516"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x0000000000035ce9</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4731</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>4</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Backup Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-551</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Backup Operators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>5</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Backup Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-551</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4731</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>6</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Replicator</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-552</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Replicator</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>7</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Replicator</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-552</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4731</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>8</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Remote Desktop Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-555</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Remote Desktop Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>9</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Remote Desktop Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-555</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4731</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>10</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Network Configuration Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-556</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Network Configuration Operators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>11</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Network Configuration Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-556</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4731</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>12</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Power Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-547</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Power Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.370474"/>
+      <EventRecordID>13</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Power Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-547</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4731</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.386072"/>
+      <EventRecordID>14</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Cryptographic Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-569</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Cryptographic Operators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.386072"/>
+      <EventRecordID>15</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Cryptographic Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-569</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.713673"/>
+      <EventRecordID>16</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:37.713673"/>
+      <EventRecordID>17</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:38.914877"/>
+      <EventRecordID>18</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:38.914877"/>
+      <EventRecordID>19</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:46.683689"/>
+      <EventRecordID>20</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:46.683689"/>
+      <EventRecordID>21</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:46.995691"/>
+      <EventRecordID>22</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:46.995691"/>
+      <EventRecordID>23</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:47.011292"/>
+      <EventRecordID>24</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:47.011292"/>
+      <EventRecordID>25</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:47.338890"/>
+      <EventRecordID>26</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:47.338890"/>
+      <EventRecordID>27</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:50.162495"/>
+      <EventRecordID>28</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:50.162495"/>
+      <EventRecordID>29</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:50.864496"/>
+      <EventRecordID>30</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="64"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:52.065699"/>
+      <EventRecordID>31</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:15:54.717703"/>
+      <EventRecordID>32</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000454a7</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:17:53.886312"/>
+      <EventRecordID>33</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1868"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">Administrator</Data>
+      <Data Name="TargetDomainName">37L4247F27-25</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x211</Data>
+      <Data Name="NewUacValue">0x211</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:17:55.461916"/>
+      <EventRecordID>34</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1868"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:17:55.461916"/>
+      <EventRecordID>35</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1868"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:17:57.708319"/>
+      <EventRecordID>36</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1868"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:17:57.708319"/>
+      <EventRecordID>37</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1868"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:18:23.900766"/>
+      <EventRecordID>38</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1696"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:18:23.900766"/>
+      <EventRecordID>39</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="1696"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:18:24.165966"/>
+      <EventRecordID>40</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="552"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">37L4247F27-25$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:18:24.165966"/>
+      <EventRecordID>41</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="464" ThreadID="552"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:18:29.407576"/>
+      <EventRecordID>42</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="816" ThreadID="1468"/>
+      <Channel>Security</Channel>
+      <Computer>37L4247F27-25</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:26.671669"/>
+      <EventRecordID>43</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="480"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:26.827669"/>
+      <EventRecordID>44</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="480"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:29.058474"/>
+      <EventRecordID>45</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000d031</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:29.276873"/>
+      <EventRecordID>46</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:29.276873"/>
+      <EventRecordID>47</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:30.212875"/>
+      <EventRecordID>48</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:30.212875"/>
+      <EventRecordID>49</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:46.499304"/>
+      <EventRecordID>50</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:46.499304"/>
+      <EventRecordID>51</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:46.592903"/>
+      <EventRecordID>52</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:46.592903"/>
+      <EventRecordID>53</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:46.686502"/>
+      <EventRecordID>54</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:19:46.686502"/>
+      <EventRecordID>55</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:14.799122"/>
+      <EventRecordID>56</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:14.799122"/>
+      <EventRecordID>57</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:16.811525"/>
+      <EventRecordID>58</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:16.811525"/>
+      <EventRecordID>59</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:17.185928"/>
+      <EventRecordID>60</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="44"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:19.057930"/>
+      <EventRecordID>61</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:19.369930"/>
+      <EventRecordID>62</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x0000000000028c63</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.848738"/>
+      <EventRecordID>63</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Administrators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-544</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.848738"/>
+      <EventRecordID>64</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Administrators</Data>
+      <Data Name="NewTargetUserName">Administrators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-544</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.848738"/>
+      <EventRecordID>65</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Administrators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-544</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Administrators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>66</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>67</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Users</Data>
+      <Data Name="NewTargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>68</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>69</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Guests</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-546</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>70</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Guests</Data>
+      <Data Name="NewTargetUserName">Guests</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-546</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>71</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Guests</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-546</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Guests</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>72</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Backup Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-551</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>73</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Backup Operators</Data>
+      <Data Name="NewTargetUserName">Backup Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-551</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>74</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Backup Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-551</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Backup Operators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>75</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Replicator</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-552</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>76</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Replicator</Data>
+      <Data Name="NewTargetUserName">Replicator</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-552</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>77</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Replicator</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-552</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Replicator</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>78</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Remote Desktop Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-555</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>79</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Remote Desktop Users</Data>
+      <Data Name="NewTargetUserName">Remote Desktop Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-555</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>80</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Remote Desktop Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-555</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Remote Desktop Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>81</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Network Configuration Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-556</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>82</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Network Configuration Operators</Data>
+      <Data Name="NewTargetUserName">Network Configuration Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-556</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>83</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Network Configuration Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-556</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Network Configuration Operators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>84</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Power Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-547</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>85</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Power Users</Data>
+      <Data Name="NewTargetUserName">Power Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-547</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>86</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Power Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-547</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Power Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>87</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Performance Monitor Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-558</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>88</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Performance Monitor Users</Data>
+      <Data Name="NewTargetUserName">Performance Monitor Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-558</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>89</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Performance Monitor Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-558</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Performance Monitor Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>90</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Performance Log Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-559</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>91</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Performance Log Users</Data>
+      <Data Name="NewTargetUserName">Performance Log Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-559</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>92</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Performance Log Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-559</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Performance Log Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>93</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Distributed COM Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-562</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>94</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Distributed COM Users</Data>
+      <Data Name="NewTargetUserName">Distributed COM Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-562</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>95</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Distributed COM Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-562</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Distributed COM Users</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>96</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">IIS_IUSRS</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-568</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>97</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">IIS_IUSRS</Data>
+      <Data Name="NewTargetUserName">IIS_IUSRS</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-568</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>98</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">IIS_IUSRS</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-568</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">IIS_IUSRS</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>99</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Cryptographic Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-569</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>100</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Cryptographic Operators</Data>
+      <Data Name="NewTargetUserName">Cryptographic Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-569</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>101</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Cryptographic Operators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-569</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Cryptographic Operators</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>102</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Event Log Readers</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-573</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4781</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>103</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="OldTargetUserName">Event Log Readers</Data>
+      <Data Name="NewTargetUserName">Event Log Readers</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-573</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4735</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>104</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">Event Log Readers</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-573</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Event Log Readers</Data>
+      <Data Name="SidHistory">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>105</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">Administrator</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Administrator</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">11/20/2010 8:57:24 PM</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x211</Data>
+      <Data Name="NewUacValue">0x211</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>106</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">Administrator</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-500</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Administrator</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">11/20/2010 8:57:24 PM</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x211</Data>
+      <Data Name="NewUacValue">0x211</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>107</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">Guest</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-501</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Guest</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x215</Data>
+      <Data Name="NewUacValue">0x215</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 10:33:22.864338"/>
+      <EventRecordID>108</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">Guest</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-501</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">Guest</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x215</Data>
+      <Data Name="NewUacValue">0x215</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:53.237000"/>
+      <EventRecordID>109</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="64"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PreviousTime">2015-03-25 10:34:25.685648</Data>
+      <Data Name="NewTime">2015-03-22 14:33:53.237000</Data>
+      <Data Name="ProcessId">0x0000000000000340</Data>
+      <Data Name="ProcessName">C:\Windows\System32\oobe\msoobe.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4728</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.422602"/>
+      <EventRecordID>110</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">None</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4720</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.422602"/>
+      <EventRecordID>111</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">informant</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x0</Data>
+      <Data Name="NewUacValue">0x15</Data>
+      <Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.422602"/>
+      <EventRecordID>112</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4722</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.438202"/>
+      <EventRecordID>113</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.438202"/>
+      <EventRecordID>114</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">informant</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x15</Data>
+      <Data Name="NewUacValue">0x14</Data>
+      <Data Name="UserAccountControl">
+		%%2048</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.453800"/>
+      <EventRecordID>115</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">Administrators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-544</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4733</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.485001"/>
+      <EventRecordID>116</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.485001"/>
+      <EventRecordID>117</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">informant</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">3/22/2015 10:33:54 AM</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x14</Data>
+      <Data Name="NewUacValue">0x214</Data>
+      <Data Name="UserAccountControl">
+		%%2089</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4724</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.485001"/>
+      <EventRecordID>118</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:33:54.485001"/>
+      <EventRecordID>119</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:24.717855"/>
+      <EventRecordID>120</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:24.717855"/>
+      <EventRecordID>121</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:28.922289"/>
+      <EventRecordID>122</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:28.922289"/>
+      <EventRecordID>123</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000003be29</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">WIN-D9RGPJQ68G8</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:28.922289"/>
+      <EventRecordID>124</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000003db0a</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">WIN-D9RGPJQ68G8</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:28.922289"/>
+      <EventRecordID>125</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="796"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x000000000003be29</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:49.529924"/>
+      <EventRecordID>126</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">WIN-D9RGPJQ68G8$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:34:49.529924"/>
+      <EventRecordID>127</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="748"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:38:16.402891"/>
+      <EventRecordID>128</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="952" ThreadID="2504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:38:15.888088"/>
+      <EventRecordID>129</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="476" ThreadID="1828"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000003db0a</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:14.039225"/>
+      <EventRecordID>130</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="460"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:14.086025"/>
+      <EventRecordID>131</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="460"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:15.053226"/>
+      <EventRecordID>132</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000b8dc</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:15.193626"/>
+      <EventRecordID>133</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:15.193626"/>
+      <EventRecordID>134</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:15.692829"/>
+      <EventRecordID>135</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:15.692829"/>
+      <EventRecordID>136</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:16.207628"/>
+      <EventRecordID>137</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:16.207628"/>
+      <EventRecordID>138</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:16.660030"/>
+      <EventRecordID>139</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:16.660030"/>
+      <EventRecordID>140</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:16.675631"/>
+      <EventRecordID>141</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:16.675631"/>
+      <EventRecordID>142</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:20.216837"/>
+      <EventRecordID>143</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:20.216837"/>
+      <EventRecordID>144</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:21.418037"/>
+      <EventRecordID>145</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="68"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:23.773643"/>
+      <EventRecordID>146</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:51:27.299248"/>
+      <EventRecordID>147</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x000000000001a667</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:30.717463"/>
+      <EventRecordID>148</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1812"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:30.717463"/>
+      <EventRecordID>149</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1812"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:31.981066"/>
+      <EventRecordID>150</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1812"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:31.981066"/>
+      <EventRecordID>151</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1812"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:39.874680"/>
+      <EventRecordID>152</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x0000000000000184</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:39.874680"/>
+      <EventRecordID>153</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000026923</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000184</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:39.874680"/>
+      <EventRecordID>154</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000026951</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000184</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 14:53:39.874680"/>
+      <EventRecordID>155</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000026923</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:08.475166"/>
+      <EventRecordID>156</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1812"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:08.475166"/>
+      <EventRecordID>157</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1812"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:08.615566"/>
+      <EventRecordID>158</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1648"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:08.615566"/>
+      <EventRecordID>159</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1648"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:18.412384"/>
+      <EventRecordID>160</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="2096"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:18.412384"/>
+      <EventRecordID>161</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="2096"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4904</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:20.799187"/>
+      <EventRecordID>162</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1648"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x0000000000069adb</Data>
+      <Data Name="ProcessId">0x0000000000000bc0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4905</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:20.799187"/>
+      <EventRecordID>163</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1648"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x0000000000069adb</Data>
+      <Data Name="ProcessId">0x0000000000000bc0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4904</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:36.648815"/>
+      <EventRecordID>164</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1856"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000000835e3</Data>
+      <Data Name="ProcessId">0x0000000000000bc0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4905</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:00:36.648815"/>
+      <EventRecordID>165</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="1856"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000000835e3</Data>
+      <Data Name="ProcessId">0x0000000000000bc0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:04:33.457232"/>
+      <EventRecordID>166</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:04:33.457232"/>
+      <EventRecordID>167</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:12:37.117380"/>
+      <EventRecordID>168</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="2320"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:12:37.117380"/>
+      <EventRecordID>169</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="2320"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:13:12.170641"/>
+      <EventRecordID>170</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="2320"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:13:12.170641"/>
+      <EventRecordID>171</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="2320"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:13:12.857042"/>
+      <EventRecordID>172</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3756"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:13:12.857042"/>
+      <EventRecordID>173</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3756"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4904</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:13:25.305864"/>
+      <EventRecordID>174</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3116"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000001fa262</Data>
+      <Data Name="ProcessId">0x0000000000000e6c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4905</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:13:25.305864"/>
+      <EventRecordID>175</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3116"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000001fa262</Data>
+      <Data Name="ProcessId">0x0000000000000e6c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:16:01.446539"/>
+      <EventRecordID>176</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3116"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:16:01.446539"/>
+      <EventRecordID>177</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3116"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:17:19.431074"/>
+      <EventRecordID>178</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\winsxs\Temp\PendingRenames\a86dcf49b364d00184220000f80e440b.install.ins</Data>
+      <Data Name="HandleId">0x00000000000086e8</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI</Data>
+      <Data Name="ProcessId">0x0000000000000ef8</Data>
+      <Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:17:19.431074"/>
+      <EventRecordID>179</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\winsxs\Temp\PendingRenames\08cfd149b364d00185220000f80e440b.install.ins</Data>
+      <Data Name="HandleId">0x00000000000088b0</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI</Data>
+      <Data Name="ProcessId">0x0000000000000ef8</Data>
+      <Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:52.829239"/>
+      <EventRecordID>180</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="3116"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000026951</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.356443"/>
+      <EventRecordID>181</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\DWrite.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.356443"/>
+      <EventRecordID>182</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d2d1.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.356443"/>
+      <EventRecordID>183</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\msmpeg2vdec.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.372044"/>
+      <EventRecordID>184</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.372044"/>
+      <EventRecordID>185</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d10core.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.372044"/>
+      <EventRecordID>186</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.387644"/>
+      <EventRecordID>187</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.387644"/>
+      <EventRecordID>188</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\XpsGdiConverter.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.387644"/>
+      <EventRecordID>189</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.403244"/>
+      <EventRecordID>190</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d10warp.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.403244"/>
+      <EventRecordID>191</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.403244"/>
+      <EventRecordID>192</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\dxgi.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.418844"/>
+      <EventRecordID>193</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\WMPhoto.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.418844"/>
+      <EventRecordID>194</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\FntCache.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.418844"/>
+      <EventRecordID>195</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.434444"/>
+      <EventRecordID>196</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d10_1.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.434444"/>
+      <EventRecordID>197</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\WindowsCodecsExt.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.434444"/>
+      <EventRecordID>198</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.450045"/>
+      <EventRecordID>199</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d10level9.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.450045"/>
+      <EventRecordID>200</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\UIAnimation.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.450045"/>
+      <EventRecordID>201</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.450045"/>
+      <EventRecordID>202</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d10_1core.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.465645"/>
+      <EventRecordID>203</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\XpsPrint.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.465645"/>
+      <EventRecordID>204</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.465645"/>
+      <EventRecordID>205</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d10.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.481245"/>
+      <EventRecordID>206</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\WindowsCodecs.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.481245"/>
+      <EventRecordID>207</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\d3d11.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.481245"/>
+      <EventRecordID>208</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.496843"/>
+      <EventRecordID>209</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.496843"/>
+      <EventRecordID>210</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.496843"/>
+      <EventRecordID>211</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.512444"/>
+      <EventRecordID>212</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.512444"/>
+      <EventRecordID>213</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\da-DK\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.512444"/>
+      <EventRecordID>214</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\da-DK\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.528044"/>
+      <EventRecordID>215</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\da-DK\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.528044"/>
+      <EventRecordID>216</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\da-DK\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.528044"/>
+      <EventRecordID>217</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nb-NO\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.543644"/>
+      <EventRecordID>218</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nb-NO\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.543644"/>
+      <EventRecordID>219</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nb-NO\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.543644"/>
+      <EventRecordID>220</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nb-NO\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.559244"/>
+      <EventRecordID>221</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.559244"/>
+      <EventRecordID>222</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ru-RU\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.559244"/>
+      <EventRecordID>223</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ru-RU\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.574844"/>
+      <EventRecordID>224</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ru-RU\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.574844"/>
+      <EventRecordID>225</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ru-RU\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.574844"/>
+      <EventRecordID>226</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ja-JP\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.590445"/>
+      <EventRecordID>227</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ja-JP\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.590445"/>
+      <EventRecordID>228</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ja-JP\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.606045"/>
+      <EventRecordID>229</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ja-JP\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.606045"/>
+      <EventRecordID>230</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ja-JP\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.606045"/>
+      <EventRecordID>231</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-CN\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.606045"/>
+      <EventRecordID>232</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-CN\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.621645"/>
+      <EventRecordID>233</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-CN\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.621645"/>
+      <EventRecordID>234</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-CN\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.621645"/>
+      <EventRecordID>235</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\cs-CZ\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.637243"/>
+      <EventRecordID>236</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\cs-CZ\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.637243"/>
+      <EventRecordID>237</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\cs-CZ\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.637243"/>
+      <EventRecordID>238</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\cs-CZ\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.637243"/>
+      <EventRecordID>239</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\de-DE\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.652843"/>
+      <EventRecordID>240</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\de-DE\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.652843"/>
+      <EventRecordID>241</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\de-DE\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.668444"/>
+      <EventRecordID>242</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\de-DE\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.668444"/>
+      <EventRecordID>243</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\de-DE\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.668444"/>
+      <EventRecordID>244</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-TW\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.684044"/>
+      <EventRecordID>245</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-TW\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.684044"/>
+      <EventRecordID>246</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-TW\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.684044"/>
+      <EventRecordID>247</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-TW\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.699644"/>
+      <EventRecordID>248</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\es-ES\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.699644"/>
+      <EventRecordID>249</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\es-ES\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.699644"/>
+      <EventRecordID>250</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\es-ES\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.715244"/>
+      <EventRecordID>251</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\es-ES\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.715244"/>
+      <EventRecordID>252</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\es-ES\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.715244"/>
+      <EventRecordID>253</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\sv-SE\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.715244"/>
+      <EventRecordID>254</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\sv-SE\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.730844"/>
+      <EventRecordID>255</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\sv-SE\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.730844"/>
+      <EventRecordID>256</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\sv-SE\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.730844"/>
+      <EventRecordID>257</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\tr-TR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.730844"/>
+      <EventRecordID>258</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\tr-TR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.746445"/>
+      <EventRecordID>259</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\tr-TR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.746445"/>
+      <EventRecordID>260</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\tr-TR\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.746445"/>
+      <EventRecordID>261</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fi-FI\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.746445"/>
+      <EventRecordID>262</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fi-FI\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.762045"/>
+      <EventRecordID>263</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fi-FI\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.762045"/>
+      <EventRecordID>264</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fi-FI\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.762045"/>
+      <EventRecordID>265</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fr-FR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.762045"/>
+      <EventRecordID>266</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fr-FR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.777645"/>
+      <EventRecordID>267</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fr-FR\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.777645"/>
+      <EventRecordID>268</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fr-FR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.777645"/>
+      <EventRecordID>269</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\fr-FR\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.793243"/>
+      <EventRecordID>270</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nl-NL\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.793243"/>
+      <EventRecordID>271</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nl-NL\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.793243"/>
+      <EventRecordID>272</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nl-NL\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.793243"/>
+      <EventRecordID>273</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nl-NL\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.808844"/>
+      <EventRecordID>274</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\nl-NL\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.808844"/>
+      <EventRecordID>275</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\el-GR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.808844"/>
+      <EventRecordID>276</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\el-GR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.824444"/>
+      <EventRecordID>277</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\el-GR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.824444"/>
+      <EventRecordID>278</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\el-GR\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.824444"/>
+      <EventRecordID>279</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-HK\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.840044"/>
+      <EventRecordID>280</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-HK\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.840044"/>
+      <EventRecordID>281</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-HK\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.840044"/>
+      <EventRecordID>282</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\zh-HK\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.840044"/>
+      <EventRecordID>283</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\hu-HU\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.855644"/>
+      <EventRecordID>284</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\hu-HU\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.855644"/>
+      <EventRecordID>285</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\hu-HU\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.855644"/>
+      <EventRecordID>286</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\hu-HU\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.855644"/>
+      <EventRecordID>287</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ko-KR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.871246"/>
+      <EventRecordID>288</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ko-KR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.871246"/>
+      <EventRecordID>289</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ko-KR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.871246"/>
+      <EventRecordID>290</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ko-KR\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.871246"/>
+      <EventRecordID>291</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pl-PL\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.886847"/>
+      <EventRecordID>292</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pl-PL\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.886847"/>
+      <EventRecordID>293</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pl-PL\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.886847"/>
+      <EventRecordID>294</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pl-PL\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.902447"/>
+      <EventRecordID>295</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-PT\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.902447"/>
+      <EventRecordID>296</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-PT\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.902447"/>
+      <EventRecordID>297</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-PT\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.902447"/>
+      <EventRecordID>298</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-PT\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.918045"/>
+      <EventRecordID>299</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\it-IT\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.918045"/>
+      <EventRecordID>300</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\it-IT\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.918045"/>
+      <EventRecordID>301</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\it-IT\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.918045"/>
+      <EventRecordID>302</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\it-IT\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.933645"/>
+      <EventRecordID>303</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\it-IT\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.933645"/>
+      <EventRecordID>304</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-BR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.933645"/>
+      <EventRecordID>305</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-BR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.949245"/>
+      <EventRecordID>306</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-BR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.949245"/>
+      <EventRecordID>307</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pt-BR\FntCache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.949245"/>
+      <EventRecordID>308</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\DWrite.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.964846"/>
+      <EventRecordID>309</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d2d1.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.964846"/>
+      <EventRecordID>310</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\msmpeg2vdec.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.964846"/>
+      <EventRecordID>311</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.980446"/>
+      <EventRecordID>312</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d10core.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.980446"/>
+      <EventRecordID>313</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.996046"/>
+      <EventRecordID>314</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.996046"/>
+      <EventRecordID>315</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\XpsGdiConverter.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:55.996046"/>
+      <EventRecordID>316</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.011646"/>
+      <EventRecordID>317</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d10warp.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.011646"/>
+      <EventRecordID>318</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\dxgi.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.011646"/>
+      <EventRecordID>319</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.027246"/>
+      <EventRecordID>320</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\WMPhoto.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.027246"/>
+      <EventRecordID>321</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.042847"/>
+      <EventRecordID>322</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d10_1.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.042847"/>
+      <EventRecordID>323</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d10level9.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.074045"/>
+      <EventRecordID>324</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\WindowsCodecsExt.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.074045"/>
+      <EventRecordID>325</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.074045"/>
+      <EventRecordID>326</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.074045"/>
+      <EventRecordID>327</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\UIAnimation.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.089645"/>
+      <EventRecordID>328</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d10_1core.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.089645"/>
+      <EventRecordID>329</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\XpsPrint.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.089645"/>
+      <EventRecordID>330</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.089645"/>
+      <EventRecordID>331</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d10.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.105246"/>
+      <EventRecordID>332</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\WindowsCodecs.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.105246"/>
+      <EventRecordID>333</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\d3d11.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.120846"/>
+      <EventRecordID>334</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.120846"/>
+      <EventRecordID>335</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.120846"/>
+      <EventRecordID>336</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.120846"/>
+      <EventRecordID>337</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.136446"/>
+      <EventRecordID>338</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.136446"/>
+      <EventRecordID>339</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.136446"/>
+      <EventRecordID>340</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\da-DK\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.136446"/>
+      <EventRecordID>341</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.152046"/>
+      <EventRecordID>342</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.152046"/>
+      <EventRecordID>343</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nb-NO\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.183247"/>
+      <EventRecordID>344</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.183247"/>
+      <EventRecordID>345</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.183247"/>
+      <EventRecordID>346</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.183247"/>
+      <EventRecordID>347</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ru-RU\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.183247"/>
+      <EventRecordID>348</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.198845"/>
+      <EventRecordID>349</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.198845"/>
+      <EventRecordID>350</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.198845"/>
+      <EventRecordID>351</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ja-JP\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.198845"/>
+      <EventRecordID>352</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.198845"/>
+      <EventRecordID>353</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.214445"/>
+      <EventRecordID>354</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-CN\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.214445"/>
+      <EventRecordID>355</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.214445"/>
+      <EventRecordID>356</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.214445"/>
+      <EventRecordID>357</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\cs-CZ\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.230045"/>
+      <EventRecordID>358</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.230045"/>
+      <EventRecordID>359</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.230045"/>
+      <EventRecordID>360</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.230045"/>
+      <EventRecordID>361</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\de-DE\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.245646"/>
+      <EventRecordID>362</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.245646"/>
+      <EventRecordID>363</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.245646"/>
+      <EventRecordID>364</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-TW\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.245646"/>
+      <EventRecordID>365</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.261246"/>
+      <EventRecordID>366</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.261246"/>
+      <EventRecordID>367</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.261246"/>
+      <EventRecordID>368</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\es-ES\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.261246"/>
+      <EventRecordID>369</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.261246"/>
+      <EventRecordID>370</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.276846"/>
+      <EventRecordID>371</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\sv-SE\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.276846"/>
+      <EventRecordID>372</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.276846"/>
+      <EventRecordID>373</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.276846"/>
+      <EventRecordID>374</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\tr-TR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.276846"/>
+      <EventRecordID>375</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.292446"/>
+      <EventRecordID>376</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.292446"/>
+      <EventRecordID>377</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fi-FI\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.292446"/>
+      <EventRecordID>378</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.292446"/>
+      <EventRecordID>379</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.308046"/>
+      <EventRecordID>380</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.308046"/>
+      <EventRecordID>381</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\fr-FR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.308046"/>
+      <EventRecordID>382</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.308046"/>
+      <EventRecordID>383</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.323647"/>
+      <EventRecordID>384</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.323647"/>
+      <EventRecordID>385</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\nl-NL\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.323647"/>
+      <EventRecordID>386</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.323647"/>
+      <EventRecordID>387</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.339247"/>
+      <EventRecordID>388</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\el-GR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.339247"/>
+      <EventRecordID>389</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.339247"/>
+      <EventRecordID>390</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.339247"/>
+      <EventRecordID>391</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\zh-HK\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.354845"/>
+      <EventRecordID>392</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.354845"/>
+      <EventRecordID>393</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.354845"/>
+      <EventRecordID>394</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\hu-HU\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.354845"/>
+      <EventRecordID>395</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.370445"/>
+      <EventRecordID>396</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.370445"/>
+      <EventRecordID>397</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ko-KR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.370445"/>
+      <EventRecordID>398</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.370445"/>
+      <EventRecordID>399</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.370445"/>
+      <EventRecordID>400</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pl-PL\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.386045"/>
+      <EventRecordID>401</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.386045"/>
+      <EventRecordID>402</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.386045"/>
+      <EventRecordID>403</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pt-PT\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.386045"/>
+      <EventRecordID>404</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.401646"/>
+      <EventRecordID>405</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.401646"/>
+      <EventRecordID>406</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\UIAnimation.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.401646"/>
+      <EventRecordID>407</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\it-IT\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.401646"/>
+      <EventRecordID>408</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\WMPhoto.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.417246"/>
+      <EventRecordID>409</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\d2d1.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.417246"/>
+      <EventRecordID>410</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pt-BR\DWrite.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.588846"/>
+      <EventRecordID>411</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ntoskrnl.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.588846"/>
+      <EventRecordID>412</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntoskrnl.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.604446"/>
+      <EventRecordID>413</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntkrnlpa.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.698046"/>
+      <EventRecordID>414</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.698046"/>
+      <EventRecordID>415</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.713646"/>
+      <EventRecordID>416</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.713646"/>
+      <EventRecordID>417</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.713646"/>
+      <EventRecordID>418</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.729248"/>
+      <EventRecordID>419</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.729248"/>
+      <EventRecordID>420</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.729248"/>
+      <EventRecordID>421</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.885248"/>
+      <EventRecordID>422</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.900846"/>
+      <EventRecordID>423</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.900846"/>
+      <EventRecordID>424</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.900846"/>
+      <EventRecordID>425</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.916447"/>
+      <EventRecordID>426</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.916447"/>
+      <EventRecordID>427</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.916447"/>
+      <EventRecordID>428</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.932047"/>
+      <EventRecordID>429</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.932047"/>
+      <EventRecordID>430</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.932047"/>
+      <EventRecordID>431</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.947647"/>
+      <EventRecordID>432</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.947647"/>
+      <EventRecordID>433</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.947647"/>
+      <EventRecordID>434</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.947647"/>
+      <EventRecordID>435</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.963247"/>
+      <EventRecordID>436</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.963247"/>
+      <EventRecordID>437</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.963247"/>
+      <EventRecordID>438</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.978848"/>
+      <EventRecordID>439</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.978848"/>
+      <EventRecordID>440</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.978848"/>
+      <EventRecordID>441</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.994448"/>
+      <EventRecordID>442</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.994448"/>
+      <EventRecordID>443</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:56.994448"/>
+      <EventRecordID>444</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.010048"/>
+      <EventRecordID>445</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.010048"/>
+      <EventRecordID>446</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.010048"/>
+      <EventRecordID>447</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.025648"/>
+      <EventRecordID>448</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.025648"/>
+      <EventRecordID>449</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.025648"/>
+      <EventRecordID>450</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.041248"/>
+      <EventRecordID>451</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.041248"/>
+      <EventRecordID>452</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.041248"/>
+      <EventRecordID>453</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.056847"/>
+      <EventRecordID>454</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.056847"/>
+      <EventRecordID>455</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.056847"/>
+      <EventRecordID>456</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.056847"/>
+      <EventRecordID>457</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.072447"/>
+      <EventRecordID>458</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.072447"/>
+      <EventRecordID>459</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.072447"/>
+      <EventRecordID>460</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.088047"/>
+      <EventRecordID>461</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.088047"/>
+      <EventRecordID>462</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.088047"/>
+      <EventRecordID>463</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.088047"/>
+      <EventRecordID>464</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.103647"/>
+      <EventRecordID>465</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.103647"/>
+      <EventRecordID>466</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.103647"/>
+      <EventRecordID>467</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.119247"/>
+      <EventRecordID>468</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.119247"/>
+      <EventRecordID>469</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.119247"/>
+      <EventRecordID>470</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.119247"/>
+      <EventRecordID>471</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.134848"/>
+      <EventRecordID>472</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.134848"/>
+      <EventRecordID>473</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.134848"/>
+      <EventRecordID>474</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.134848"/>
+      <EventRecordID>475</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.150448"/>
+      <EventRecordID>476</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.150448"/>
+      <EventRecordID>477</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.150448"/>
+      <EventRecordID>478</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.166048"/>
+      <EventRecordID>479</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.166048"/>
+      <EventRecordID>480</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.166048"/>
+      <EventRecordID>481</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.181648"/>
+      <EventRecordID>482</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.181648"/>
+      <EventRecordID>483</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.181648"/>
+      <EventRecordID>484</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.181648"/>
+      <EventRecordID>485</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.384447"/>
+      <EventRecordID>486</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.446848"/>
+      <EventRecordID>487</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.462448"/>
+      <EventRecordID>488</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.462448"/>
+      <EventRecordID>489</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.462448"/>
+      <EventRecordID>490</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.478048"/>
+      <EventRecordID>491</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.478048"/>
+      <EventRecordID>492</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.493647"/>
+      <EventRecordID>493</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.493647"/>
+      <EventRecordID>494</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.493647"/>
+      <EventRecordID>495</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.509247"/>
+      <EventRecordID>496</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.509247"/>
+      <EventRecordID>497</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.509247"/>
+      <EventRecordID>498</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.524847"/>
+      <EventRecordID>499</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.524847"/>
+      <EventRecordID>500</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.540447"/>
+      <EventRecordID>501</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.540447"/>
+      <EventRecordID>502</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.540447"/>
+      <EventRecordID>503</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.556047"/>
+      <EventRecordID>504</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.556047"/>
+      <EventRecordID>505</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.556047"/>
+      <EventRecordID>506</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.571648"/>
+      <EventRecordID>507</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.571648"/>
+      <EventRecordID>508</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.587248"/>
+      <EventRecordID>509</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.587248"/>
+      <EventRecordID>510</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.587248"/>
+      <EventRecordID>511</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.587248"/>
+      <EventRecordID>512</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.602848"/>
+      <EventRecordID>513</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.602848"/>
+      <EventRecordID>514</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.618448"/>
+      <EventRecordID>515</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.712049"/>
+      <EventRecordID>516</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.727650"/>
+      <EventRecordID>517</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.727650"/>
+      <EventRecordID>518</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.727650"/>
+      <EventRecordID>519</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.727650"/>
+      <EventRecordID>520</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.743250"/>
+      <EventRecordID>521</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.743250"/>
+      <EventRecordID>522</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.743250"/>
+      <EventRecordID>523</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\KernelBase.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.758848"/>
+      <EventRecordID>524</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.758848"/>
+      <EventRecordID>525</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.758848"/>
+      <EventRecordID>526</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.774448"/>
+      <EventRecordID>527</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.774448"/>
+      <EventRecordID>528</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.774448"/>
+      <EventRecordID>529</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.774448"/>
+      <EventRecordID>530</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.790049"/>
+      <EventRecordID>531</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.790049"/>
+      <EventRecordID>532</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.790049"/>
+      <EventRecordID>533</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.790049"/>
+      <EventRecordID>534</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.805649"/>
+      <EventRecordID>535</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.805649"/>
+      <EventRecordID>536</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.805649"/>
+      <EventRecordID>537</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.805649"/>
+      <EventRecordID>538</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.821249"/>
+      <EventRecordID>539</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.821249"/>
+      <EventRecordID>540</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.821249"/>
+      <EventRecordID>541</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.836849"/>
+      <EventRecordID>542</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.836849"/>
+      <EventRecordID>543</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.836849"/>
+      <EventRecordID>544</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.836849"/>
+      <EventRecordID>545</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.852449"/>
+      <EventRecordID>546</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.852449"/>
+      <EventRecordID>547</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.852449"/>
+      <EventRecordID>548</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.852449"/>
+      <EventRecordID>549</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.868050"/>
+      <EventRecordID>550</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.868050"/>
+      <EventRecordID>551</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.868050"/>
+      <EventRecordID>552</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.883650"/>
+      <EventRecordID>553</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.883650"/>
+      <EventRecordID>554</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.883650"/>
+      <EventRecordID>555</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.883650"/>
+      <EventRecordID>556</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.899248"/>
+      <EventRecordID>557</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.899248"/>
+      <EventRecordID>558</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:57.899248"/>
+      <EventRecordID>559</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\KernelBase.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.024050"/>
+      <EventRecordID>560</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Fonts\seguisym.ttf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.024050"/>
+      <EventRecordID>561</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Fonts\segoeui.ttf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.024050"/>
+      <EventRecordID>562</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Fonts\segoeuiz.ttf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.039648"/>
+      <EventRecordID>563</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Fonts\segoeuib.ttf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.039648"/>
+      <EventRecordID>564</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Fonts\segoeuii.ttf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.148849"/>
+      <EventRecordID>565</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\taskhost.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.148849"/>
+      <EventRecordID>566</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\drivers\afd.sys</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.148849"/>
+      <EventRecordID>567</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\drivers\FWPKCLNT.SYS</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.164450"/>
+      <EventRecordID>568</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\drivers\tcpip.sys</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.164450"/>
+      <EventRecordID>569</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\drivers\netio.sys</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.195648"/>
+      <EventRecordID>570</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mswsock.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.195648"/>
+      <EventRecordID>571</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mswsock.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.320450"/>
+      <EventRecordID>572</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\smss.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.336048"/>
+      <EventRecordID>573</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\csrsrv.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.336048"/>
+      <EventRecordID>574</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ntdll.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.351648"/>
+      <EventRecordID>575</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ntoskrnl.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.351648"/>
+      <EventRecordID>576</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\apisetschema.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.367249"/>
+      <EventRecordID>577</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntdll.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.367249"/>
+      <EventRecordID>578</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntoskrnl.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.367249"/>
+      <EventRecordID>579</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntkrnlpa.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.398449"/>
+      <EventRecordID>580</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\AppPatch\acwow64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.414049"/>
+      <EventRecordID>581</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\tdh.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.414049"/>
+      <EventRecordID>582</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.414049"/>
+      <EventRecordID>583</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.445250"/>
+      <EventRecordID>584</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.445250"/>
+      <EventRecordID>585</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.445250"/>
+      <EventRecordID>586</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.445250"/>
+      <EventRecordID>587</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64cpu.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.460850"/>
+      <EventRecordID>588</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.460850"/>
+      <EventRecordID>589</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.460850"/>
+      <EventRecordID>590</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.460850"/>
+      <EventRecordID>591</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.476448"/>
+      <EventRecordID>592</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.476448"/>
+      <EventRecordID>593</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.476448"/>
+      <EventRecordID>594</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.476448"/>
+      <EventRecordID>595</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ntvdm64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.492048"/>
+      <EventRecordID>596</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.492048"/>
+      <EventRecordID>597</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.492048"/>
+      <EventRecordID>598</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.492048"/>
+      <EventRecordID>599</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.507648"/>
+      <EventRecordID>600</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.507648"/>
+      <EventRecordID>601</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.507648"/>
+      <EventRecordID>602</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\conhost.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.507648"/>
+      <EventRecordID>603</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.523249"/>
+      <EventRecordID>604</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\advapi32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.523249"/>
+      <EventRecordID>605</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.523249"/>
+      <EventRecordID>606</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.538849"/>
+      <EventRecordID>607</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wow64win.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.538849"/>
+      <EventRecordID>608</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.538849"/>
+      <EventRecordID>609</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\kernel32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.538849"/>
+      <EventRecordID>610</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\KernelBase.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.554451"/>
+      <EventRecordID>611</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.554451"/>
+      <EventRecordID>612</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.554451"/>
+      <EventRecordID>613</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.554451"/>
+      <EventRecordID>614</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.554451"/>
+      <EventRecordID>615</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\winsrv.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.570051"/>
+      <EventRecordID>616</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.570051"/>
+      <EventRecordID>617</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.570051"/>
+      <EventRecordID>618</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.570051"/>
+      <EventRecordID>619</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\instnm.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.585651"/>
+      <EventRecordID>620</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\tdh.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.585651"/>
+      <EventRecordID>621</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.585651"/>
+      <EventRecordID>622</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.601250"/>
+      <EventRecordID>623</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.601250"/>
+      <EventRecordID>624</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.601250"/>
+      <EventRecordID>625</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\user.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.601250"/>
+      <EventRecordID>626</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.616850"/>
+      <EventRecordID>627</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.616850"/>
+      <EventRecordID>628</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.616850"/>
+      <EventRecordID>629</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.616850"/>
+      <EventRecordID>630</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.632450"/>
+      <EventRecordID>631</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.632450"/>
+      <EventRecordID>632</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.632450"/>
+      <EventRecordID>633</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ntvdm64.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.632450"/>
+      <EventRecordID>634</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.648050"/>
+      <EventRecordID>635</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.648050"/>
+      <EventRecordID>636</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.648050"/>
+      <EventRecordID>637</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.648050"/>
+      <EventRecordID>638</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.663651"/>
+      <EventRecordID>639</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.663651"/>
+      <EventRecordID>640</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wow32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.663651"/>
+      <EventRecordID>641</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.679251"/>
+      <EventRecordID>642</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\advapi32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.679251"/>
+      <EventRecordID>643</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.679251"/>
+      <EventRecordID>644</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.679251"/>
+      <EventRecordID>645</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.694851"/>
+      <EventRecordID>646</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\KernelBase.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.694851"/>
+      <EventRecordID>647</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\kernel32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.694851"/>
+      <EventRecordID>648</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.694851"/>
+      <EventRecordID>649</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.710451"/>
+      <EventRecordID>650</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.710451"/>
+      <EventRecordID>651</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.710451"/>
+      <EventRecordID>652</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.710451"/>
+      <EventRecordID>653</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\setup16.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.726051"/>
+      <EventRecordID>654</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:58.726051"/>
+      <EventRecordID>655</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.038050"/>
+      <EventRecordID>656</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.038050"/>
+      <EventRecordID>657</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\D3DCompiler_47.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.038050"/>
+      <EventRecordID>658</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.038050"/>
+      <EventRecordID>659</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ie9props.propdesc</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.053650"/>
+      <EventRecordID>660</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\JSProfilerCore.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.053650"/>
+      <EventRecordID>661</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsprofilerui.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.069250"/>
+      <EventRecordID>662</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\pdm.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.069250"/>
+      <EventRecordID>663</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\pdmproxy100.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.069250"/>
+      <EventRecordID>664</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.069250"/>
+      <EventRecordID>665</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ExtExport.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.084850"/>
+      <EventRecordID>666</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\sqmapi.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.084850"/>
+      <EventRecordID>667</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.100451"/>
+      <EventRecordID>668</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\jsdbgui.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.100451"/>
+      <EventRecordID>669</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\msdbg2.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.100451"/>
+      <EventRecordID>670</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\networkinspection.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.116051"/>
+      <EventRecordID>671</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\iedvtool.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.116051"/>
+      <EventRecordID>672</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.116051"/>
+      <EventRecordID>673</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ieproxy.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.116051"/>
+      <EventRecordID>674</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\ieinstal.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.131651"/>
+      <EventRecordID>675</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\F12Tools.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.131651"/>
+      <EventRecordID>676</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\IEShims.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.131651"/>
+      <EventRecordID>677</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd">S:AI</Data>
+      <Data Name="NewSd"/>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.147251"/>
+      <EventRecordID>678</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.194050"/>
+      <EventRecordID>679</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.209650"/>
+      <EventRecordID>680</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.209650"/>
+      <EventRecordID>681</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\iedvtool.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.225250"/>
+      <EventRecordID>682</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\DiagnosticsTap.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.225250"/>
+      <EventRecordID>683</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.225250"/>
+      <EventRecordID>684</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.225250"/>
+      <EventRecordID>685</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\networkinspection.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.240850"/>
+      <EventRecordID>686</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.240850"/>
+      <EventRecordID>687</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.256451"/>
+      <EventRecordID>688</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.256451"/>
+      <EventRecordID>689</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline_is.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.256451"/>
+      <EventRecordID>690</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\pdm.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.256451"/>
+      <EventRecordID>691</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\msdbg2.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.272051"/>
+      <EventRecordID>692</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.272051"/>
+      <EventRecordID>693</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\JSProfilerCore.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.287651"/>
+      <EventRecordID>694</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\ielowutil.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.287651"/>
+      <EventRecordID>695</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\ieinstal.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.287651"/>
+      <EventRecordID>696</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\IEShims.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.287651"/>
+      <EventRecordID>697</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\pdmproxy100.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.303251"/>
+      <EventRecordID>698</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\perfcore.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.303251"/>
+      <EventRecordID>699</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\D3DCompiler_47.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.303251"/>
+      <EventRecordID>700</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\iedvtool.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.318851"/>
+      <EventRecordID>701</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\ieproxy.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.318851"/>
+      <EventRecordID>702</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsTap.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.318851"/>
+      <EventRecordID>703</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\iediagcmd.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.334450"/>
+      <EventRecordID>704</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\perf_nt.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.334450"/>
+      <EventRecordID>705</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.334450"/>
+      <EventRecordID>706</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\F12Tools.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.334450"/>
+      <EventRecordID>707</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\jsdebuggeride.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.412451"/>
+      <EventRecordID>708</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\networkinspection.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.412451"/>
+      <EventRecordID>709</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\jsprofilerui.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.412451"/>
+      <EventRecordID>710</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub.ScriptedSandboxPlugin.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.428051"/>
+      <EventRecordID>711</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\MemoryAnalyzer.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.428051"/>
+      <EventRecordID>712</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\F12Resources.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.428051"/>
+      <EventRecordID>713</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\ie9props.propdesc</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.443651"/>
+      <EventRecordID>714</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\jsdbgui.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.443651"/>
+      <EventRecordID>715</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\F12.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.443651"/>
+      <EventRecordID>716</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.443651"/>
+      <EventRecordID>717</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\Timeline.cpu.xml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.459251"/>
+      <EventRecordID>718</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\sqmapi.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.459251"/>
+      <EventRecordID>719</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.459251"/>
+      <EventRecordID>720</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.474850"/>
+      <EventRecordID>721</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.474850"/>
+      <EventRecordID>722</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.474850"/>
+      <EventRecordID>723</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.490450"/>
+      <EventRecordID>724</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.506050"/>
+      <EventRecordID>725</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.506050"/>
+      <EventRecordID>726</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.506050"/>
+      <EventRecordID>727</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.521652"/>
+      <EventRecordID>728</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\eula.rtf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.599651"/>
+      <EventRecordID>729</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.599651"/>
+      <EventRecordID>730</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\images\bing.ico</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.599651"/>
+      <EventRecordID>731</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Program Files\Internet Explorer\SIGNUP\install.ins</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd">S:AI</Data>
+      <Data Name="NewSd"/>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.615252"/>
+      <EventRecordID>732</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieapfltr.dat</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.615252"/>
+      <EventRecordID>733</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\url.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.630852"/>
+      <EventRecordID>734</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mshta.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.630852"/>
+      <EventRecordID>735</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\jsproxy.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.630852"/>
+      <EventRecordID>736</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieUnatt.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.646452"/>
+      <EventRecordID>737</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieui.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.646452"/>
+      <EventRecordID>738</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mshtmlmedia.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.646452"/>
+      <EventRecordID>739</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieetwproxystub.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.646452"/>
+      <EventRecordID>740</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\jsIntl.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.646452"/>
+      <EventRecordID>741</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\RegisterIEPKEYs.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.662052"/>
+      <EventRecordID>742</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iepeers.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.662052"/>
+      <EventRecordID>743</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\elshyph.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.662052"/>
+      <EventRecordID>744</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieframe.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.677652"/>
+      <EventRecordID>745</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ie4uinit.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.677652"/>
+      <EventRecordID>746</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\licmgr10.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.693253"/>
+      <EventRecordID>747</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mshtmler.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.693253"/>
+      <EventRecordID>748</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iexpress.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.693253"/>
+      <EventRecordID>749</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\IEAdvpack.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.708853"/>
+      <EventRecordID>750</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\dxtrans.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.802452"/>
+      <EventRecordID>751</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wextract.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.818052"/>
+      <EventRecordID>752</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieetwcollectorres.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.818052"/>
+      <EventRecordID>753</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\SetIEInstalledDate.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.833652"/>
+      <EventRecordID>754</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wininet.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.833652"/>
+      <EventRecordID>755</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\MshtmlDac.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.849253"/>
+      <EventRecordID>756</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\jscript.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.849253"/>
+      <EventRecordID>757</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\JavaScriptCollectionAgent.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.849253"/>
+      <EventRecordID>758</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\msfeedssync.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.864853"/>
+      <EventRecordID>759</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\webcheck.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.864853"/>
+      <EventRecordID>760</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\MsSpellCheckingFacility.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.880453"/>
+      <EventRecordID>761</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\icardie.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.880453"/>
+      <EventRecordID>762</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iertutil.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.896051"/>
+      <EventRecordID>763</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\pngfilt.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.896051"/>
+      <EventRecordID>764</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\msls31.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.911652"/>
+      <EventRecordID>765</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieetwcollector.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.911652"/>
+      <EventRecordID>766</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\jscript9diag.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.927252"/>
+      <EventRecordID>767</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iedkcs32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.942852"/>
+      <EventRecordID>768</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iesetup.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.942852"/>
+      <EventRecordID>769</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iernonce.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.942852"/>
+      <EventRecordID>770</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\vbscript.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.958452"/>
+      <EventRecordID>771</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\inseng.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.958452"/>
+      <EventRecordID>772</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\iesysprep.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.974052"/>
+      <EventRecordID>773</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\inetcpl.cpl</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.974052"/>
+      <EventRecordID>774</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\jscript9.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.974052"/>
+      <EventRecordID>775</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\occache.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.974052"/>
+      <EventRecordID>776</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieapfltr.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.989653"/>
+      <EventRecordID>777</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\html.iec</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:18:59.989653"/>
+      <EventRecordID>778</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\imgutil.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.005253"/>
+      <EventRecordID>779</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\msfeeds.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.005253"/>
+      <EventRecordID>780</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\ieuinit.inf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.005253"/>
+      <EventRecordID>781</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\tdc.ocx</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.020853"/>
+      <EventRecordID>782</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mshtml.tlb</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.020853"/>
+      <EventRecordID>783</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mshtml.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.036451"/>
+      <EventRecordID>784</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\mshtmled.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.036451"/>
+      <EventRecordID>785</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\urlmon.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.052052"/>
+      <EventRecordID>786</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\msfeedsbs.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.052052"/>
+      <EventRecordID>787</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\msrating.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.052052"/>
+      <EventRecordID>788</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\dxtmsft.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.067652"/>
+      <EventRecordID>789</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\iesetup.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.067652"/>
+      <EventRecordID>790</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\mshtmlmedia.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.083252"/>
+      <EventRecordID>791</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\icardie.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.098852"/>
+      <EventRecordID>792</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\iepeers.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.130053"/>
+      <EventRecordID>793</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\IEAdvpack.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.130053"/>
+      <EventRecordID>794</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\jsIntl.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.130053"/>
+      <EventRecordID>795</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\occache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.130053"/>
+      <EventRecordID>796</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\MsSpellCheckingFacility.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.145653"/>
+      <EventRecordID>797</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\wextract.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.145653"/>
+      <EventRecordID>798</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\ieunatt.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.145653"/>
+      <EventRecordID>799</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\ie4uinit.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.161253"/>
+      <EventRecordID>800</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\iernonce.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.161253"/>
+      <EventRecordID>801</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\elshyph.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.161253"/>
+      <EventRecordID>802</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\jscript.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.176851"/>
+      <EventRecordID>803</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\msrating.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.176851"/>
+      <EventRecordID>804</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\ieframe.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.176851"/>
+      <EventRecordID>805</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\msfeedsbs.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.192451"/>
+      <EventRecordID>806</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\vbscript.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.192451"/>
+      <EventRecordID>807</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\ieui.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.208052"/>
+      <EventRecordID>808</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\html.iec.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.208052"/>
+      <EventRecordID>809</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\iexpress.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.223652"/>
+      <EventRecordID>810</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\mshtmler.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.223652"/>
+      <EventRecordID>811</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\urlmon.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.223652"/>
+      <EventRecordID>812</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\jscript9.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.239252"/>
+      <EventRecordID>813</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\iedkcs32.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.239252"/>
+      <EventRecordID>814</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\webcheck.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.239252"/>
+      <EventRecordID>815</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\wininet.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.254852"/>
+      <EventRecordID>816</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\mshta.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.254852"/>
+      <EventRecordID>817</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\licmgr10.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.270452"/>
+      <EventRecordID>818</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\mshtml.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.270452"/>
+      <EventRecordID>819</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\inseng.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.286053"/>
+      <EventRecordID>820</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\inetcpl.cpl.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.286053"/>
+      <EventRecordID>821</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\en-US\ieetwcollectorres.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.286053"/>
+      <EventRecordID>822</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\spp\tokens\ppdlic\Microsoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.286053"/>
+      <EventRecordID>823</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\Microsoft-Windows-IE-HTMLRendering.ptxml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.301653"/>
+      <EventRecordID>824</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\ieframe.ptxml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.301653"/>
+      <EventRecordID>825</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\wdi\perftrack\Microsoft-Windows-IE-F12-Provider.ptxml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.317253"/>
+      <EventRecordID>826</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\System32\migration\WininetPlugin.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.317253"/>
+      <EventRecordID>827</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\PolicyDefinitions\inetres.admx</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.332851"/>
+      <EventRecordID>828</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\PolicyDefinitions\en-US\InetRes.adml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.410854"/>
+      <EventRecordID>829</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieapfltr.dat</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.410854"/>
+      <EventRecordID>830</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mshta.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.426455"/>
+      <EventRecordID>831</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\jsproxy.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.426455"/>
+      <EventRecordID>832</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\url.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.426455"/>
+      <EventRecordID>833</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieUnatt.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.442055"/>
+      <EventRecordID>834</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieui.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.442055"/>
+      <EventRecordID>835</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mshtmlmedia.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.442055"/>
+      <EventRecordID>836</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\jsIntl.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.442055"/>
+      <EventRecordID>837</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieetwproxystub.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.457653"/>
+      <EventRecordID>838</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\RegisterIEPKEYs.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.457653"/>
+      <EventRecordID>839</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\elshyph.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.457653"/>
+      <EventRecordID>840</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iepeers.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.473253"/>
+      <EventRecordID>841</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieframe.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.473253"/>
+      <EventRecordID>842</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\licmgr10.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.488853"/>
+      <EventRecordID>843</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mshtmler.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.488853"/>
+      <EventRecordID>844</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iexpress.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.488853"/>
+      <EventRecordID>845</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\IEAdvpack.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.488853"/>
+      <EventRecordID>846</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wextract.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.504454"/>
+      <EventRecordID>847</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\dxtrans.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.504454"/>
+      <EventRecordID>848</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wininet.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.520054"/>
+      <EventRecordID>849</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\SetIEInstalledDate.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.520054"/>
+      <EventRecordID>850</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\MshtmlDac.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.520054"/>
+      <EventRecordID>851</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\jscript.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.535654"/>
+      <EventRecordID>852</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.535654"/>
+      <EventRecordID>853</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\msfeedssync.exe</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.535654"/>
+      <EventRecordID>854</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\webcheck.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.551254"/>
+      <EventRecordID>855</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\icardie.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.551254"/>
+      <EventRecordID>856</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iertutil.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.566854"/>
+      <EventRecordID>857</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\pngfilt.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.582455"/>
+      <EventRecordID>858</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\jscript9diag.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.582455"/>
+      <EventRecordID>859</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\msls31.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.598053"/>
+      <EventRecordID>860</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iedkcs32.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.598053"/>
+      <EventRecordID>861</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iesetup.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.613653"/>
+      <EventRecordID>862</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iernonce.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.613653"/>
+      <EventRecordID>863</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\vbscript.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.613653"/>
+      <EventRecordID>864</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\iesysprep.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.629253"/>
+      <EventRecordID>865</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\inseng.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.629253"/>
+      <EventRecordID>866</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\jscript9.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.629253"/>
+      <EventRecordID>867</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\occache.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.644854"/>
+      <EventRecordID>868</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\inetcpl.cpl</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.644854"/>
+      <EventRecordID>869</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieapfltr.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.644854"/>
+      <EventRecordID>870</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\html.iec</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.660454"/>
+      <EventRecordID>871</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\imgutil.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.660454"/>
+      <EventRecordID>872</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\msfeeds.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.660454"/>
+      <EventRecordID>873</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\ieuinit.inf</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.676054"/>
+      <EventRecordID>874</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\tdc.ocx</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.676054"/>
+      <EventRecordID>875</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mshtml.tlb</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.676054"/>
+      <EventRecordID>876</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mshtml.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.691654"/>
+      <EventRecordID>877</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\mshtmled.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.691654"/>
+      <EventRecordID>878</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\urlmon.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.691654"/>
+      <EventRecordID>879</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\msfeedsbs.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.707254"/>
+      <EventRecordID>880</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\msrating.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.707254"/>
+      <EventRecordID>881</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\dxtmsft.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.722855"/>
+      <EventRecordID>882</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\webcheck.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.722855"/>
+      <EventRecordID>883</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iernonce.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.722855"/>
+      <EventRecordID>884</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\inseng.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.738453"/>
+      <EventRecordID>885</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\html.iec.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.738453"/>
+      <EventRecordID>886</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\msrating.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.738453"/>
+      <EventRecordID>887</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\wininet.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.754053"/>
+      <EventRecordID>888</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieui.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.754053"/>
+      <EventRecordID>889</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\elshyph.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.769653"/>
+      <EventRecordID>890</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iexpress.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.769653"/>
+      <EventRecordID>891</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieetwcollectorres.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.769653"/>
+      <EventRecordID>892</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\occache.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.785254"/>
+      <EventRecordID>893</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieframe.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.785254"/>
+      <EventRecordID>894</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshta.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.785254"/>
+      <EventRecordID>895</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtml.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.800854"/>
+      <EventRecordID>896</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\wextract.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.800854"/>
+      <EventRecordID>897</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iesetup.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.800854"/>
+      <EventRecordID>898</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\ieunatt.exe.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.816454"/>
+      <EventRecordID>899</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\licmgr10.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.816454"/>
+      <EventRecordID>900</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtmler.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.832054"/>
+      <EventRecordID>901</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\jscript.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.832054"/>
+      <EventRecordID>902</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\vbscript.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.832054"/>
+      <EventRecordID>903</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iepeers.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.847654"/>
+      <EventRecordID>904</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\IEAdvpack.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.863255"/>
+      <EventRecordID>905</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\msfeedsbs.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.863255"/>
+      <EventRecordID>906</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\mshtmlmedia.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.878855"/>
+      <EventRecordID>907</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\iedkcs32.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.878855"/>
+      <EventRecordID>908</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\urlmon.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.878855"/>
+      <EventRecordID>909</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\inetcpl.cpl.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.894453"/>
+      <EventRecordID>910</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\jscript9.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.894453"/>
+      <EventRecordID>911</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\en-US\icardie.dll.mui</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.894453"/>
+      <EventRecordID>912</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wdi\perftrack\wow64_ieframe.ptxml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.910053"/>
+      <EventRecordID>913</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\wdi\perftrack\wow64_Microsoft-Windows-IE-HTMLRendering.ptxml</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.910053"/>
+      <EventRecordID>914</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\SysWOW64\migration\WininetPlugin.dll</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.941254"/>
+      <EventRecordID>915</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.acl</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.956854"/>
+      <EventRecordID>916</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.dub</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.956854"/>
+      <EventRecordID>917</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries\MsSp7en.lex</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:00.972454"/>
+      <EventRecordID>918</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="472"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7en.lex</Data>
+      <Data Name="HandleId">0x000000000000001c</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)</Data>
+      <Data Name="ProcessId">0x0000000000000cdc</Data>
+      <Data Name="ProcessName">C:\Windows\System32\poqexec.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:42.967728"/>
+      <EventRecordID>919</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="728" ThreadID="2476"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:42.515327"/>
+      <EventRecordID>920</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001c0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:19:42.515327"/>
+      <EventRecordID>921</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="456" ThreadID="492"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:31.655058"/>
+      <EventRecordID>922</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:31.655058"/>
+      <EventRecordID>923</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:32.388258"/>
+      <EventRecordID>924</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="552"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000c957</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.493498"/>
+      <EventRecordID>925</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.493498"/>
+      <EventRecordID>926</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.649498"/>
+      <EventRecordID>927</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.649498"/>
+      <EventRecordID>928</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.758699"/>
+      <EventRecordID>929</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.758699"/>
+      <EventRecordID>930</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.821098"/>
+      <EventRecordID>931</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.821098"/>
+      <EventRecordID>932</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.899099"/>
+      <EventRecordID>933</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:54.899099"/>
+      <EventRecordID>934</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:56.427902"/>
+      <EventRecordID>935</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:22:56.427902"/>
+      <EventRecordID>936</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:02.059311"/>
+      <EventRecordID>937</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="624"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:02.059311"/>
+      <EventRecordID>938</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="624"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:02.418114"/>
+      <EventRecordID>939</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="52"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:02.714514"/>
+      <EventRecordID>940</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x000000000001a427</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:02.745712"/>
+      <EventRecordID>941</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="624"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:12.589331"/>
+      <EventRecordID>942</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:12.589331"/>
+      <EventRecordID>943</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:24.804152"/>
+      <EventRecordID>944</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="516"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Globalization\ELS\HyphenationDictionaries</Data>
+      <Data Name="HandleId">0x00000000000002d4</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data>
+      <Data Name="ProcessId">0x00000000000003e8</Data>
+      <Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4907</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:23:24.850952"/>
+      <EventRecordID>945</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="516"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="ObjectServer">Security</Data>
+      <Data Name="ObjectType">File</Data>
+      <Data Name="ObjectName">C:\Windows\Globalization\ELS\SpellDictionaries</Data>
+      <Data Name="HandleId">0x00000000000002d0</Data>
+      <Data Name="OldSd"/>
+      <Data Name="NewSd">S:ARAI(AU;SAFA;0x1f0116;;;WD)</Data>
+      <Data Name="ProcessId">0x00000000000003e8</Data>
+      <Data Name="ProcessName">C:\Windows\servicing\TrustedInstaller.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:24:03.773020"/>
+      <EventRecordID>946</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:24:03.773020"/>
+      <EventRecordID>947</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000056f8b</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:24:03.773020"/>
+      <EventRecordID>948</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000056fb9</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:24:03.773020"/>
+      <EventRecordID>949</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000056f8b</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:25:04.193928"/>
+      <EventRecordID>950</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:25:04.193928"/>
+      <EventRecordID>951</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:28:28.791111"/>
+      <EventRecordID>952</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="760" ThreadID="2512"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:28:28.026711"/>
+      <EventRecordID>953</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000056fb9</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:36.516434"/>
+      <EventRecordID>954</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:36.516434"/>
+      <EventRecordID>955</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="504"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:36.672434"/>
+      <EventRecordID>956</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="556"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000c54c</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:37.998434"/>
+      <EventRecordID>957</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:37.998434"/>
+      <EventRecordID>958</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.154436"/>
+      <EventRecordID>959</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.154436"/>
+      <EventRecordID>960</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.279236"/>
+      <EventRecordID>961</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.279236"/>
+      <EventRecordID>962</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.388435"/>
+      <EventRecordID>963</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.388435"/>
+      <EventRecordID>964</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.435236"/>
+      <EventRecordID>965</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.435236"/>
+      <EventRecordID>966</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.887638"/>
+      <EventRecordID>967</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:38.887638"/>
+      <EventRecordID>968</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:39.839441"/>
+      <EventRecordID>969</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="44"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:41.029442"/>
+      <EventRecordID>970</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:43:43.719446"/>
+      <EventRecordID>971</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x000000000001c185</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:16.282011"/>
+      <EventRecordID>972</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:16.282011"/>
+      <EventRecordID>973</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000224e3</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:16.282011"/>
+      <EventRecordID>974</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000022517</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:16.282011"/>
+      <EventRecordID>975</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:31.129238"/>
+      <EventRecordID>976</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:31.129238"/>
+      <EventRecordID>977</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:45.700264"/>
+      <EventRecordID>978</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:45:45.700264"/>
+      <EventRecordID>979</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:47:37.490059"/>
+      <EventRecordID>980</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:47:37.490059"/>
+      <EventRecordID>981</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="596"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:37.681681"/>
+      <EventRecordID>982</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000022517</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4728</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.524311"/>
+      <EventRecordID>983</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">None</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4720</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.524311"/>
+      <EventRecordID>984</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">admin11</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x0</Data>
+      <Data Name="NewUacValue">0x15</Data>
+      <Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4722</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.524311"/>
+      <EventRecordID>985</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.524311"/>
+      <EventRecordID>986</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">admin11</Data>
+      <Data Name="DisplayName">admin11</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x15</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.524311"/>
+      <EventRecordID>987</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.539913"/>
+      <EventRecordID>988</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.617912"/>
+      <EventRecordID>989</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">Administrators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-544</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:51:54.617912"/>
+      <EventRecordID>990</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">admin11</Data>
+      <Data Name="DisplayName">admin11</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x210</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:10.872742"/>
+      <EventRecordID>991</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">admin11</Data>
+      <Data Name="DisplayName">admin11</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">3/22/2015 11:52:10 AM</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x210</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4724</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:10.872742"/>
+      <EventRecordID>992</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:17.881954"/>
+      <EventRecordID>993</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4728</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.742777"/>
+      <EventRecordID>994</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="TargetUserName">None</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4720</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.742777"/>
+      <EventRecordID>995</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">ITechTeam</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x0</Data>
+      <Data Name="NewUacValue">0x15</Data>
+      <Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4722</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.742777"/>
+      <EventRecordID>996</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.742777"/>
+      <EventRecordID>997</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">ITechTeam</Data>
+      <Data Name="DisplayName">ITechTeam</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x15</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.758377"/>
+      <EventRecordID>998</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2568"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.773977"/>
+      <EventRecordID>999</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.805178"/>
+      <EventRecordID>1000</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="TargetUserName">Administrators</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-544</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:30.820778"/>
+      <EventRecordID>1001</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">ITechTeam</Data>
+      <Data Name="DisplayName">ITechTeam</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x210</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:45.546404"/>
+      <EventRecordID>1002</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">ITechTeam</Data>
+      <Data Name="DisplayName">ITechTeam</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">3/22/2015 11:52:45 AM</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x210</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4724</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:45.546404"/>
+      <EventRecordID>1003</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:52:52.694817"/>
+      <EventRecordID>1004</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">ITechTeam</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1002</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4728</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.900034"/>
+      <EventRecordID>1005</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="TargetUserName">None</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-513</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4720</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.900034"/>
+      <EventRecordID>1006</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">temporary</Data>
+      <Data Name="DisplayName">%%1793</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x0</Data>
+      <Data Name="NewUacValue">0x15</Data>
+      <Data Name="UserAccountControl">
+		%%2080
+		%%2082
+		%%2084</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4722</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.900034"/>
+      <EventRecordID>1007</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.900034"/>
+      <EventRecordID>1008</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">temporary</Data>
+      <Data Name="DisplayName">temporary</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x15</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">
+		%%2048
+		%%2050
+		%%2089</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4732</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13826</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.915634"/>
+      <EventRecordID>1009</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="MemberName">-</Data>
+      <Data Name="MemberSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="TargetUserName">Users</Data>
+      <Data Name="TargetDomainName">Builtin</Data>
+      <Data Name="TargetSid">S-1-5-32-545</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.931234"/>
+      <EventRecordID>1010</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:01.978035"/>
+      <EventRecordID>1011</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">temporary</Data>
+      <Data Name="DisplayName">temporary</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">%%1794</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x210</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">%%1793</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:11.774855"/>
+      <EventRecordID>1012</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">temporary</Data>
+      <Data Name="DisplayName">temporary</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">%%1793</Data>
+      <Data Name="HomePath">%%1793</Data>
+      <Data Name="ScriptPath">%%1793</Data>
+      <Data Name="ProfilePath">%%1793</Data>
+      <Data Name="UserWorkstations">%%1793</Data>
+      <Data Name="PasswordLastSet">3/22/2015 11:53:11 AM</Data>
+      <Data Name="AccountExpires">%%1794</Data>
+      <Data Name="PrimaryGroupId">513</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">0x210</Data>
+      <Data Name="NewUacValue">0x210</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">%%1797</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4724</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:11.774855"/>
+      <EventRecordID>1013</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="536"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4738</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13824</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:17.267263"/>
+      <EventRecordID>1014</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="Dummy">-</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000224e3</Data>
+      <Data Name="PrivilegeList">-</Data>
+      <Data Name="SamAccountName">-</Data>
+      <Data Name="DisplayName">-</Data>
+      <Data Name="UserPrincipalName">-</Data>
+      <Data Name="HomeDirectory">-</Data>
+      <Data Name="HomePath">-</Data>
+      <Data Name="ScriptPath">-</Data>
+      <Data Name="ProfilePath">-</Data>
+      <Data Name="UserWorkstations">-</Data>
+      <Data Name="PasswordLastSet">-</Data>
+      <Data Name="AccountExpires">-</Data>
+      <Data Name="PrimaryGroupId">-</Data>
+      <Data Name="AllowedToDelegateTo">-</Data>
+      <Data Name="OldUacValue">-</Data>
+      <Data Name="NewUacValue">-</Data>
+      <Data Name="UserAccountControl">-</Data>
+      <Data Name="UserParameters">-</Data>
+      <Data Name="SidHistory">-</Data>
+      <Data Name="LogonHours">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:44.310112"/>
+      <EventRecordID>1015</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x00000000000007a0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:44.310112"/>
+      <EventRecordID>1016</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000094b57</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000007a0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:44.310112"/>
+      <EventRecordID>1017</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000094b71</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000007a0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:53:44.310112"/>
+      <EventRecordID>1018</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserName">admin11</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000094b57</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:55:52.345053"/>
+      <EventRecordID>1019</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000094b71</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:55:57.259062"/>
+      <EventRecordID>1020</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x000000000000072c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:55:57.259062"/>
+      <EventRecordID>1021</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x000000000000072c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:56:45.514757"/>
+      <EventRecordID>1022</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000094b71</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:56:45.514757"/>
+      <EventRecordID>1023</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000094b57</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:56:58.020781"/>
+      <EventRecordID>1024</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:02.435589"/>
+      <EventRecordID>1025</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x0000000000000954</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:02.435589"/>
+      <EventRecordID>1026</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000001354b3</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000954</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:02.435589"/>
+      <EventRecordID>1027</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000001354c8</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000954</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:02.435589"/>
+      <EventRecordID>1028</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2668"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="SubjectUserName">admin11</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000001354b3</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:41.899269"/>
+      <EventRecordID>1029</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000001354c8</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:54.426090"/>
+      <EventRecordID>1030</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x0000000000000c1c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:54.426090"/>
+      <EventRecordID>1031</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000157b62</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000c1c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:54.426090"/>
+      <EventRecordID>1032</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000157b78</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000c1c</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:54.426090"/>
+      <EventRecordID>1033</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000157b62</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:55.533691"/>
+      <EventRecordID>1034</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000157b78</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:55.533691"/>
+      <EventRecordID>1035</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000157b62</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:57:56.376093"/>
+      <EventRecordID>1036</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1003</Data>
+      <Data Name="TargetUserName">temporary</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000f2cd6</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:58:26.374947"/>
+      <EventRecordID>1037</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000001354c8</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 15:58:26.374947"/>
+      <EventRecordID>1038</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1001</Data>
+      <Data Name="TargetUserName">admin11</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000001354b3</Data>
+      <Data Name="LogonType">2</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 16:00:09.652330"/>
+      <EventRecordID>1039</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="744" ThreadID="2916"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-22 16:00:08.607128"/>
+      <EventRecordID>1040</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="500" ThreadID="2272"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000022517</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:23.645645"/>
+      <EventRecordID>1041</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="496"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:23.661245"/>
+      <EventRecordID>1042</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="496"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:23.708046"/>
+      <EventRecordID>1043</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000bac4</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.659647"/>
+      <EventRecordID>1044</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.659647"/>
+      <EventRecordID>1045</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.800047"/>
+      <EventRecordID>1046</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.800047"/>
+      <EventRecordID>1047</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.862448"/>
+      <EventRecordID>1048</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.862448"/>
+      <EventRecordID>1049</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.940447"/>
+      <EventRecordID>1050</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:24.940447"/>
+      <EventRecordID>1051</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:25.065247"/>
+      <EventRecordID>1052</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:25.065247"/>
+      <EventRecordID>1053</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:26.244253"/>
+      <EventRecordID>1054</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:26.244253"/>
+      <EventRecordID>1055</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:26.424252"/>
+      <EventRecordID>1056</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="64"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:26.656254"/>
+      <EventRecordID>1057</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:28.422262"/>
+      <EventRecordID>1058</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x000000000001b9a4</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:41.036285"/>
+      <EventRecordID>1059</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x00000000000001a8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:41.036285"/>
+      <EventRecordID>1060</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000002359c</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001a8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:41.036285"/>
+      <EventRecordID>1061</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000235cc</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001a8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:41.036285"/>
+      <EventRecordID>1062</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x000000000002359c</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:53.981310"/>
+      <EventRecordID>1063</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:24:53.981310"/>
+      <EventRecordID>1064</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:25:47.191999"/>
+      <EventRecordID>1065</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="56"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-23 17:25:47.192598</Data>
+      <Data Name="NewTime">2015-03-23 17:25:47.191999</Data>
+      <Data Name="ProcessId">0x0000000000000358</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:26:34.578482"/>
+      <EventRecordID>1066</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 17:26:34.578482"/>
+      <EventRecordID>1067</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 18:36:07.849930"/>
+      <EventRecordID>1068</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="4028"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 18:36:07.849930"/>
+      <EventRecordID>1069</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="4028"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 19:08:15.571480"/>
+      <EventRecordID>1070</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="52"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-23 18:57:01.113134</Data>
+      <Data Name="NewTime">2015-03-23 19:08:15.571480</Data>
+      <Data Name="ProcessId">0x0000000000000358</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 19:08:15.586599"/>
+      <EventRecordID>1071</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="64"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-23 19:08:15.571480</Data>
+      <Data Name="NewTime">2015-03-23 19:08:15.570999</Data>
+      <Data Name="ProcessId">0x0000000000000358</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 19:08:46.442999"/>
+      <EventRecordID>1072</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="52"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-23 19:08:46.443419</Data>
+      <Data Name="NewTime">2015-03-23 19:08:46.442999</Data>
+      <Data Name="ProcessId">0x0000000000000358</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:00:22.997030"/>
+      <EventRecordID>1073</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="2208"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:00:22.997030"/>
+      <EventRecordID>1074</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="2208"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:00:45.605478"/>
+      <EventRecordID>1075</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="3192"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:00:45.605478"/>
+      <EventRecordID>1076</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="3192"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:01:01.714952"/>
+      <EventRecordID>1077</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:01:01.714952"/>
+      <EventRecordID>1078</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:01:02.354555"/>
+      <EventRecordID>1079</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:01:02.354555"/>
+      <EventRecordID>1080</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4904</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:01:22.824591"/>
+      <EventRecordID>1081</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="2208"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000002c2083</Data>
+      <Data Name="ProcessId">0x0000000000000d40</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4905</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:01:22.840191"/>
+      <EventRecordID>1082</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="2208"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000002c2083</Data>
+      <Data Name="ProcessId">0x0000000000000d40</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 20:23:27.973217"/>
+      <EventRecordID>1083</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="2164"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000235cc</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">Company</Data>
+      <Data Name="TargetDomainName">INFORMANT-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">Company-PC</Data>
+      <Data Name="TargetInfo">Company-PC</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 21:02:53.551575"/>
+      <EventRecordID>1084</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="492" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000235cc</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-23 21:02:59.900787"/>
+      <EventRecordID>1085</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="724" ThreadID="3256"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:29.399240"/>
+      <EventRecordID>1086</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="500"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:29.399240"/>
+      <EventRecordID>1087</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="500"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:29.461641"/>
+      <EventRecordID>1088</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="548"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000b683</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.481653"/>
+      <EventRecordID>1089</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.481653"/>
+      <EventRecordID>1090</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.653254"/>
+      <EventRecordID>1091</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.653254"/>
+      <EventRecordID>1092</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.715654"/>
+      <EventRecordID>1093</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="564"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.715654"/>
+      <EventRecordID>1094</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="564"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.824854"/>
+      <EventRecordID>1095</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.824854"/>
+      <EventRecordID>1096</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.902853"/>
+      <EventRecordID>1097</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:36.902853"/>
+      <EventRecordID>1098</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:37.949461"/>
+      <EventRecordID>1099</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="564"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:37.949461"/>
+      <EventRecordID>1100</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="564"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:38.131464"/>
+      <EventRecordID>1101</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="52"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:38.323465"/>
+      <EventRecordID>1102</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="564"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:38.835484"/>
+      <EventRecordID>1103</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x000000000001c0ce</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:44.983509"/>
+      <EventRecordID>1104</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:44.983509"/>
+      <EventRecordID>1105</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000002269c</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:44.983509"/>
+      <EventRecordID>1106</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000226c4</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:44.983509"/>
+      <EventRecordID>1107</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x000000000002269c</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:57.353931"/>
+      <EventRecordID>1108</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:21:57.353931"/>
+      <EventRecordID>1109</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:23:40.220510"/>
+      <EventRecordID>1110</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:23:40.220510"/>
+      <EventRecordID>1111</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="532"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 13:47:06.075186"/>
+      <EventRecordID>1112</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="1740"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000000226c4</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">Company</Data>
+      <Data Name="TargetDomainName">INFORMANT-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">Company-PC</Data>
+      <Data Name="TargetInfo">Company-PC</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:14:30.786434"/>
+      <EventRecordID>1113</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:14:30.786434"/>
+      <EventRecordID>1114</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="560"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:21:38.226231"/>
+      <EventRecordID>1115</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2160"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:21:38.226231"/>
+      <EventRecordID>1116</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2160"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:21:38.507030"/>
+      <EventRecordID>1117</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2160"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:21:38.507030"/>
+      <EventRecordID>1118</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2160"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:22:39.911482"/>
+      <EventRecordID>1119</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2904"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:22:39.911482"/>
+      <EventRecordID>1120</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2904"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:46:14.466702"/>
+      <EventRecordID>1121</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="1716"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 15:46:14.466702"/>
+      <EventRecordID>1122</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="1716"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 18:28:38.261791"/>
+      <EventRecordID>1123</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 18:28:38.261791"/>
+      <EventRecordID>1124</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000006cabcf</Data>
+      <Data Name="LogonType">7</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 18:28:38.261791"/>
+      <EventRecordID>1125</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000006cabdd</Data>
+      <Data Name="LogonType">7</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001b8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 18:28:38.261791"/>
+      <EventRecordID>1126</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x00000000006cabcf</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 18:28:38.261791"/>
+      <EventRecordID>1127</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000006cabdd</Data>
+      <Data Name="LogonType">7</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 18:28:38.261791"/>
+      <EventRecordID>1128</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="988"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000006cabcf</Data>
+      <Data Name="LogonType">7</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 20:58:52.193810"/>
+      <EventRecordID>1129</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2068"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001e8</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 20:58:52.193810"/>
+      <EventRecordID>1130</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="2068"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 21:07:25.488918"/>
+      <EventRecordID>1131</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="496" ThreadID="3392"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x00000000000226c4</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-24 21:07:26.799320"/>
+      <EventRecordID>1132</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="760" ThreadID="4048"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4608</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:41.968834"/>
+      <EventRecordID>1133</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="476"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:41.968834"/>
+      <EventRecordID>1134</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="476"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">0</Data>
+      <Data Name="LogonProcessName">-</Data>
+      <Data Name="AuthenticationPackageName">-</Data>
+      <Data Name="WorkstationName">-</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000004</Data>
+      <Data Name="ProcessName"/>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4902</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:42.468035"/>
+      <EventRecordID>1135</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="524"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="PuaCount">0</Data>
+      <Data Name="PuaPolicyId">0x000000000000ba7d</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:42.592834"/>
+      <EventRecordID>1136</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:42.592834"/>
+      <EventRecordID>1137</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.372837"/>
+      <EventRecordID>1138</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-20</Data>
+      <Data Name="TargetUserName">NETWORK SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e4</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.372837"/>
+      <EventRecordID>1139</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-20</Data>
+      <Data Name="SubjectUserName">NETWORK SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e4</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.497637"/>
+      <EventRecordID>1140</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-19</Data>
+      <Data Name="TargetUserName">LOCAL SERVICE</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e5</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.497637"/>
+      <EventRecordID>1141</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeAuditPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.638037"/>
+      <EventRecordID>1142</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.638037"/>
+      <EventRecordID>1143</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.669237"/>
+      <EventRecordID>1144</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:43.669237"/>
+      <EventRecordID>1145</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:45.556839"/>
+      <EventRecordID>1146</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:45.556839"/>
+      <EventRecordID>1147</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5033</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:45.777241"/>
+      <EventRecordID>1148</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="64"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">5024</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12292</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:46.425243"/>
+      <EventRecordID>1149</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="508"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData/>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:05:48.117256"/>
+      <EventRecordID>1150</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-0-0</Data>
+      <Data Name="SubjectUserName">-</Data>
+      <Data Name="SubjectDomainName">-</Data>
+      <Data Name="SubjectLogonId">0x0000000000000000</Data>
+      <Data Name="TargetUserSid">S-1-5-7</Data>
+      <Data Name="TargetUserName">ANONYMOUS LOGON</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x000000000001c0d1</Data>
+      <Data Name="LogonType">3</Data>
+      <Data Name="LogonProcessName">NtLmSsp </Data>
+      <Data Name="AuthenticationPackageName">NTLM</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">NTLM V1</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000000</Data>
+      <Data Name="ProcessName">-</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:06:08.919298"/>
+      <EventRecordID>1151</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:06:08.919298"/>
+      <EventRecordID>1152</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000025465</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:06:08.919298"/>
+      <EventRecordID>1153</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000025493</Data>
+      <Data Name="LogonType">2</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:06:08.919298"/>
+      <EventRecordID>1154</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="520"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000025465</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:06:16.402313"/>
+      <EventRecordID>1155</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:06:16.402313"/>
+      <EventRecordID>1156</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:07:49.222477"/>
+      <EventRecordID>1157</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:07:49.222477"/>
+      <EventRecordID>1158</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="540"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:23:59.668980"/>
+      <EventRecordID>1159</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 13:23:59.668980"/>
+      <EventRecordID>1160</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:13:47.009901"/>
+      <EventRecordID>1161</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="44"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-25 13:29:46.566790</Data>
+      <Data Name="NewTime">2015-03-25 14:13:47.009901</Data>
+      <Data Name="ProcessId">0x0000000000000330</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:13:47.025000"/>
+      <EventRecordID>1162</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="48"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-25 14:13:47.025499</Data>
+      <Data Name="NewTime">2015-03-25 14:13:47.025000</Data>
+      <Data Name="ProcessId">0x0000000000000330</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:31:53.299805"/>
+      <EventRecordID>1163</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2772"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:31:53.299805"/>
+      <EventRecordID>1164</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2772"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4648</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:45:59.180204"/>
+      <EventRecordID>1165</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="1064"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TargetServerName">localhost</Data>
+      <Data Name="TargetInfo">localhost</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:45:59.180204"/>
+      <EventRecordID>1166</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="1064"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000157773</Data>
+      <Data Name="LogonType">7</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:45:59.180204"/>
+      <EventRecordID>1167</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="1064"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000015777f</Data>
+      <Data Name="LogonType">7</Data>
+      <Data Name="LogonProcessName">User32 </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName">INFORMANT-PC</Data>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x0000000000000194</Data>
+      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
+      <Data Name="IpAddress">127.0.0.1</Data>
+      <Data Name="IpPort">0</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:45:59.180204"/>
+      <EventRecordID>1168</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="1064"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="SubjectUserName">informant</Data>
+      <Data Name="SubjectDomainName">informant-PC</Data>
+      <Data Name="SubjectLogonId">0x0000000000157773</Data>
+      <Data Name="PrivilegeList">SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:45:59.180204"/>
+      <EventRecordID>1169</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="1064"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x000000000015777f</Data>
+      <Data Name="LogonType">7</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4634</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:45:59.180204"/>
+      <EventRecordID>1170</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="1064"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000157773</Data>
+      <Data Name="LogonType">7</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:28.948605"/>
+      <EventRecordID>1171</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2304"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:28.948605"/>
+      <EventRecordID>1172</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2304"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:30.305803"/>
+      <EventRecordID>1173</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2304"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:30.305803"/>
+      <EventRecordID>1174</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2304"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:30.430605"/>
+      <EventRecordID>1175</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:30.430605"/>
+      <EventRecordID>1176</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2592"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4904</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:45.235004"/>
+      <EventRecordID>1177</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2888"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000001aa8e7</Data>
+      <Data Name="ProcessId">0x0000000000000934</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4905</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:45.235004"/>
+      <EventRecordID>1178</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2888"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x00000000001aa8e7</Data>
+      <Data Name="ProcessId">0x0000000000000934</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:50.960205"/>
+      <EventRecordID>1179</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2888"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:50:50.960205"/>
+      <EventRecordID>1180</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="2888"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:56:55.922205"/>
+      <EventRecordID>1181</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="3772"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:56:55.922205"/>
+      <EventRecordID>1182</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="3772"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:57:18.230204"/>
+      <EventRecordID>1183</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:57:18.230204"/>
+      <EventRecordID>1184</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:57:18.479805"/>
+      <EventRecordID>1185</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:57:18.479805"/>
+      <EventRecordID>1186</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4904</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:57:33.393404"/>
+      <EventRecordID>1187</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="4040"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x0000000000245dcb</Data>
+      <Data Name="ProcessId">0x0000000000000aa4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4905</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>13568</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 14:57:33.393404"/>
+      <EventRecordID>1188</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="4040"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="AuditSourceName">VSSAudit</Data>
+      <Data Name="EventSourceId">0x0000000000245dcb</Data>
+      <Data Name="ProcessId">0x0000000000000aa4</Data>
+      <Data Name="ProcessName">C:\Windows\System32\VSSVC.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4624</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12544</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 15:18:54.221603"/>
+      <EventRecordID>1189</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">INFORMANT-PC$</Data>
+      <Data Name="SubjectDomainName">WORKGROUP</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="TargetUserSid">S-1-5-18</Data>
+      <Data Name="TargetUserName">SYSTEM</Data>
+      <Data Name="TargetDomainName">NT AUTHORITY</Data>
+      <Data Name="TargetLogonId">0x00000000000003e7</Data>
+      <Data Name="LogonType">5</Data>
+      <Data Name="LogonProcessName">Advapi  </Data>
+      <Data Name="AuthenticationPackageName">Negotiate</Data>
+      <Data Name="WorkstationName"/>
+      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
+      <Data Name="TransmittedServices">-</Data>
+      <Data Name="LmPackageName">-</Data>
+      <Data Name="KeyLength">0</Data>
+      <Data Name="ProcessId">0x00000000000001d0</Data>
+      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
+      <Data Name="IpAddress">-</Data>
+      <Data Name="IpPort">-</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4672</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12548</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 15:18:54.221603"/>
+      <EventRecordID>1190</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="528"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-18</Data>
+      <Data Name="SubjectUserName">SYSTEM</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e7</Data>
+      <Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
+			SeTcbPrivilege
+			SeSecurityPrivilege
+			SeTakeOwnershipPrivilege
+			SeLoadDriverPrivilege
+			SeBackupPrivilege
+			SeRestorePrivilege
+			SeDebugPrivilege
+			SeAuditPrivilege
+			SeSystemEnvironmentPrivilege
+			SeImpersonatePrivilege</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4647</EventID>
+      <Version>0</Version>
+      <Level>0</Level>
+      <Task>12545</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 15:30:57.775204"/>
+      <EventRecordID>1191</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="472" ThreadID="3968"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="TargetUserSid">S-1-5-21-2425377081-3129163575-2985601102-1000</Data>
+      <Data Name="TargetUserName">informant</Data>
+      <Data Name="TargetDomainName">informant-PC</Data>
+      <Data Name="TargetLogonId">0x0000000000025493</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/>
+      <EventID Qualifiers="">4616</EventID>
+      <Version>1</Version>
+      <Level>0</Level>
+      <Task>12288</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x8020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 15:31:00.240000"/>
+      <EventRecordID>1192</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="4" ThreadID="64"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <EventData>
+      <Data Name="SubjectUserSid">S-1-5-19</Data>
+      <Data Name="SubjectUserName">LOCAL SERVICE</Data>
+      <Data Name="SubjectDomainName">NT AUTHORITY</Data>
+      <Data Name="SubjectLogonId">0x00000000000003e5</Data>
+      <Data Name="PreviousTime">2015-03-25 15:31:00.240004</Data>
+      <Data Name="NewTime">2015-03-25 15:31:00.240000</Data>
+      <Data Name="ProcessId">0x0000000000000330</Data>
+      <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
+    </EventData>
+  </Event>
+  <Event>
+    <System>
+      <Provider Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" Name="Microsoft-Windows-Eventlog"/>
+      <EventID Qualifiers="">1100</EventID>
+      <Version>0</Version>
+      <Level>4</Level>
+      <Task>103</Task>
+      <Opcode>0</Opcode>
+      <Keywords>0x4020000000000000</Keywords>
+      <TimeCreated SystemTime="2015-03-25 15:31:00.364799"/>
+      <EventRecordID>1193</EventRecordID>
+      <Correlation ActivityID="" RelatedActivityID=""/>
+      <Execution ProcessID="752" ThreadID="3912"/>
+      <Channel>Security</Channel>
+      <Computer>informant-PC</Computer>
+      <Security UserID=""/>
+    </System>
+    <UserData>
+      <ServiceShutdown/>
+    </UserData>
+  </Event>
+</Events>
\ No newline at end of file
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_findall_eventid_time.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_findall_eventid_time.py
new file mode 100644
index 0000000..f178e39
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_findall_eventid_time.py
@@ -0,0 +1,22 @@
+import xml.etree.ElementTree as ET
+import xml.dom.minidom as minidom
+
+tree = ET.parse("SecurityEvt_ns_removed.xml")
+root = tree.getroot()
+
+# Iterate through all System elements
+for system_element in root.findall(".//System"):
+    event_id_element = system_element.find("EventID")
+    time_created_element = system_element.find("TimeCreated")
+
+    # Check if EventID and TimeCreated elements exist
+    if (
+        event_id_element is not None
+        and event_id_element.text == "4608"
+        and time_created_element is not None
+    ):
+        event_id = event_id_element.text
+        system_time = time_created_element.get("SystemTime")
+
+        # Print the lists of EventID and TimeCreated values
+        print("EventIDs: {} and SystemTimes: {}".format(event_id, system_time))
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_format.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_format.py
new file mode 100644
index 0000000..1e80eca
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_format.py
@@ -0,0 +1,26 @@
+import xml.etree.ElementTree as ET
+import xml.dom.minidom as minidom
+
+tree = ET.parse("SecurityEvt_ns_removed.xml")
+root = tree.getroot()
+
+# Convert the entire XML to a string with pretty formatting
+formatted_xml_str = ET.tostring(root, encoding="utf-8", method="xml").decode("utf-8")
+
+# Parse the formatted XML content
+dom = minidom.parseString(formatted_xml_str)
+
+# Pretty print the XML content
+pretty_xml = dom.toprettyxml(indent="  ")
+
+# Remove extra blank lines
+non_empty_pretty_lines = [line for line in pretty_xml.splitlines() if line.strip()]
+
+# Join the lines to get the final XML content
+formatted_xml = "\n".join(non_empty_pretty_lines)
+
+# Save the nicely formatted XML to a new file
+with open("securityEvt_formatted.xml", "w") as file:
+    file.write(formatted_xml)
+
+print("Formatted XML saved to 'securityEvt_formatted.xml'.")
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_list_tags.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_list_tags.py
new file mode 100644
index 0000000..bed55e8
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_list_tags.py
@@ -0,0 +1,16 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("SecurityEvt.xml")
+root = tree.getroot()
+
+# Create an empty set to store unique tag names
+tag_names = set()
+
+# Iterate through the elements and collect unique tag names
+for element in root.iter():
+    tag_names.add(element.tag)
+
+# Convert the set to a sorted list and print the tag names
+tag_list = sorted(tag_names)
+for tag in tag_list:
+    print(tag)
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_ns_remove.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_ns_remove.py
new file mode 100644
index 0000000..87de7db
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_ns_remove.py
@@ -0,0 +1,23 @@
+import xml.etree.ElementTree as ET
+
+tree = ET.parse("SecurityEvt.xml")
+root = tree.getroot()
+
+
+# Define a function to recursively remove all namespace prefixes
+def remove_namespace_prefix(element):
+    # print(element.tag)
+    element.tag = element.tag.split("}", 1)[-1]  # Remove namespace prefix
+    for child in element:
+        remove_namespace_prefix(child)
+
+
+# Remove namespace prefixes from the root element and its descendants
+remove_namespace_prefix(root)
+
+# Convert the modified XML tree to a string
+modified_xml = ET.tostring(root, encoding="utf-8")
+
+# Save the updated XML to a new file
+with open("SecurityEvt_ns_removed.xml", "wb") as f:
+    f.write(modified_xml)
diff --git a/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_show_first_event.py b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_show_first_event.py
new file mode 100644
index 0000000..9dc05c0
--- /dev/null
+++ b/NIST_Data_Leakage_Case/py_version/pycode/security_evt_xml/securityevt_show_first_event.py
@@ -0,0 +1,24 @@
+import xml.etree.ElementTree as ET
+import xml.dom.minidom as minidom
+
+tree = ET.parse("SecurityEvt_ns_removed.xml")
+root = tree.getroot()
+
+# Find the first Event element
+first_event = root.find(".//Event")
+
+# Check if a Event element was found
+if first_event is not None:
+    # Convert the first Event element to a string with pretty formatting
+    first_event_str = ET.tostring(first_event, encoding="unicode", method="xml")
+
+    # Parse the XML content
+    dom = minidom.parseString(first_event_str)
+
+    # Pretty print the XML content
+    pretty_xml = dom.toprettyxml(indent="   ")
+
+    # Print the nicely formatted XML
+    print(pretty_xml)
+else:
+    print("No Event elements found in the XML.")